When Internet activist group Anonymous attempted to launch a distributed denial of service (DDoS ) attack on Amazon.com last December, its members quickly discovered that for all of their resources, they were unable to even inconvenience the massive e-commerce site.
The attack was called off and many lauded Amazon for its ability to ward off the DDoS that had been prevalent on the Internet during early- to mid-December, part of Anonymous’ Operation: Payback campaign to “raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks’ ability to function,” according to a December 10 press release purportedly from the group.
It is widely believed that Amazon.com was able to easily fend off the DDoS attack from Anonymous because of its already-massive infrastructure, and the bad timing on the part of the attackers. In December, so much traffic was coming into the Amazon.com site due to the rush of holiday traffic, that any spike in traffic from a DDoS was simply lost in the crush of all the other traffic.
(Anonymous’ claims differ. In the press release, the activist organization claims that it decided to call off the attack at the last minute, so as not to interrupt holiday shopping. Some members apparently did not get the message, so the resulting DDoS attack was far weaker.)
Regardless of what actually happened on Dec. 9, one thing is very clear: most of the network administrators out there don’t work for Amazon.com, and thus any DDoS attack, small or large, poses a serious risk for any online business activity. So how do you go about preventing great harm if a DDoS attack comes your way?
There are, of course, the more well-known prevention methods that any network administrator should be doing already.
DDoS prevention methods you should already be using
Disable any unused services, to minimize the number of open ports and to reduce the chance someone could come in and exploit a known vulnerability. Along those lines, patch everything. Keeping your software as up-to-date as possible will also minimize vulnerability. Firewalls can help, too, but only to a point: They can stop flooding attacks coming in from “odd” ports, but there’s no preventing web-based traffic from rolling right in. Also, if you disable IP broadcasting, you can block ICMP-based attacks, such as ICMP packet magnification (“smurf”) or ping of death attacks.
These are the general methods that will keep your network generally protected against all but the most sophisticated DDoS. For specific DDoS defense, the most successful techniques have been the use of some sort of IP packet filtering.
Packet filtering is your best defense
The idea of filtering is simple to describe: figure out which of the incoming packets are from legitimate users and which are coming from the attacking machines. But implementing this kind of solution in practice is a far different story.
The biggest problem, of course, is differentiating the good traffic from the bad. Because of the challenge of this task, several approaches have been suggested.
First, there are the techniques to block spoofed IP packets, such as router-based filtering, which tracks the source addresses of incoming traffic and if an unexpected result is seen, spoofing is assumed and the traffic is dropped. In fact, spoofing has gotten much easier to block, it’s not typically used for sophisticated attacks anymore. Blocking spoofed traffic is now only a small part of the equation.
The new threat is more dangerous: when infected computers are coordinated en masse as a part of a zombie network, then the source addresses of the incoming traffic aren’t spoofed at all–they’re very real.
Warding off zombie attacks
One of the more promising approaches to IP filtering for zombie-directed attacks is history-based filtering. This technique flips around the model of trying to find the bad packets by remembering the good packets that have been to your site before and only letting packets from the known sources in during an attack. This is a fairly comprehensive approach, and neatly local: there’s no need for cooperation with broader Internet sources to make this work. The edge routers in your network simply reference an IP address database of frequent IP visitors and if the traffic source doesn’t match, then it’s dropped.
The trick with how well history-based filtering works is how efficient the database of addresses works. If it takes too long for the edge routers to get to the list of good addresses while and attack is underway, then the reduction of speed in network response could have the same effect as the attack itself.
Another vulnerability with this kind of filtering: if attackers are aware of history-based filtering, then the sophistication of zombie control systems are easily capable of directing a number of zombied computers to a target site before the actual attack in order to legitimize the IP addresses of the zombied computers. This will fool the filtering system into excepting more DDoS packets, since the attack is coming from “familiar” addresses.
Virtual routers and security appliances
Beyond filtering, new DDoS defense techniques involve using virtual routers and appliance-based systems that can essentially be provisioned on an as-needed basics to draw in traffic, apply cleaning techniques, and filter traffic through. These types of automated provisioning systems will likely be a big line of defense for DDoS attacks in the future, since cloud- and virtual-based systems can quickly be adjusted to compensate for huge volumes of traffic.
Much will need to be done before DDoS attacks can be completely eliminated; there’s a lot of unsecured machines out there on the Internet, ready to be zombified. And while there are are formidable defenses available for DDoS attacks, they are designed to be invoked by single targets, while the attacks are almost always a coordinated effort. Until defense is also a coordinated effort, then right now vigilance will remain the watchword for IT managers against DDoS attacks.