DDoS Defenses Evolve Along With the Threat - Page 2

 By Brian Proffitt
Page 2 of 2   |  Back to Page 1
Print Article

Packet filtering is your best defense

The idea of filtering is simple to describe: figure out which of the incoming packets are from legitimate users and which are coming from the attacking machines. But implementing this kind of solution in practice is a far different story.

The biggest problem, of course, is differentiating the good traffic from the bad. Because of the challenge of this task, several approaches have been suggested.

First, there are the techniques to block spoofed IP packets, such as router-based filtering, which tracks the source addresses of incoming traffic and if an unexpected result is seen, spoofing is assumed and the traffic is dropped. In fact, spoofing has gotten much easier to block, it's not typically used for sophisticated attacks anymore. Blocking spoofed traffic is now only a small part of the equation.

The new threat is more dangerous: when infected computers are coordinated en masse as a part of a zombie network, then the source addresses of the incoming traffic aren't spoofed at all--they're very real.

Warding off zombie attacks

One of the more promising approaches to IP filtering for zombie-directed attacks is history-based filtering. This technique flips around the model of trying to find the bad packets by remembering the good packets that have been to your site before and only letting packets from the known sources in during an attack. This is a fairly comprehensive approach, and neatly local: there's no need for cooperation with broader Internet sources to make this work. The edge routers in your network simply reference an IP address database of frequent IP visitors and if the traffic source doesn't match, then it's dropped.

The trick with how well history-based filtering works is how efficient the database of addresses works. If it takes too long for the edge routers to get to the list of good addresses while and attack is underway, then the reduction of speed in network response could have the same effect as the attack itself.

Another vulnerability with this kind of filtering: if attackers are aware of history-based filtering, then the sophistication of zombie control systems are easily capable of directing a number of zombied computers to a target site before the actual attack in order to legitimize the IP addresses of the zombied computers. This will fool the filtering system into excepting more DDoS packets, since the attack is coming from "familiar" addresses.

Virtual routers and security appliances

Beyond filtering, new DDoS defense techniques involve using virtual routers and appliance-based systems that can essentially be provisioned on an as-needed basics to draw in traffic, apply cleaning techniques, and filter traffic through. These types of automated provisioning systems will likely be a big line of defense for DDoS attacks in the future, since cloud- and virtual-based systems can quickly be adjusted to compensate for huge volumes of traffic.

Much will need to be done before DDoS attacks can be completely eliminated; there's a lot of unsecured machines out there on the Internet, ready to be zombified. And while there are are formidable defenses available for DDoS attacks, they are designed to be invoked by single targets, while the attacks are almost always a coordinated effort. Until defense is also a coordinated effort, then right now vigilance will remain the watchword for IT managers against DDoS attacks.

Brian Proffitt is a technology expert who writes for a number of publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 19 consumer technology books, including the most recent Take Your iPad to Work. Follow him on Twitter at @TheTechScribe.

This article was originally published on Jan 27, 2011
Get the Latest Scoop with Networking Update Newsletter