A distributed denial of service (DDoS) attack on your corporate Web
site can be a terrifying thing. First traffic levels start rising, then
your network gets clogged. Before long your servers stop coping, and
within a few minutes your customers find your Web site is unreachable.
As far as the Internet is concerned, your company has ceased to
The important thing to realize about DDoS attacks is that they
aren’t going to go away, and there’s no way of preventing them. They
have been around for a very long time, and they are getting easier to
carry out. That’s because there are increasing numbers of poorly
secured home PCs with always-on Internet connections just waiting to be
discovered and taken over by hackers. These compromised PCs are
incorporated into attack networks, where they remain dormant until a
short burst of command and control traffic activates them and turns
them into crazed attack zombies, firing off data at a target host until
— the hacker hopes — it disappears under a deluge of unwanted
“Most DDoS attacks start as sharp spikes in traffic, but if you can’t
tell the difference between a flash crowd of legitimate visitors and
the start of a DDoS attack you are already in trouble.”
As a responsible network administrator, it’s prudent to assume that if
it hasn’t faced one yet it’s only a matter of time before your
organization faces a DDoS attack. This could be orchestrated by some
mindless teenaged cretin, or, as a number of gambling sites have
discovered, by more sinister underworld blackmailers. Whoever it
happens to be, the important question is what can you do to mitigate
the damage it could cause?
Getting to Know Your Net
“As with any disaster, the key to
surviving a DDoS attack is planning ahead,” says Allen Householder,
Internet security analyst at US-CERT, a partnership between the
Department of Homeland Security and the public and private sectors
established to protect the nation’s Internet infrastructure.
An important first step is to familiarize yourself with your typical
inbound traffic profile, Householder advises. “The more you know about
what your normal traffic looks like the better the position you are in
to spot when its profile changes,” he says. “Most DDoS attacks start as
sharp spikes in traffic, but if you can’t tell the difference between a
flash crowd of legitimate visitors and the start of a DDoS attack you
are already in trouble.” There are plenty of network tools on the
market which enable you to look at traffic flows and protocols, and if
you can see the traffic going across your network you can analyze it
and see if it changes.
Bandwidth is also worth considering. The principal of a DDoS attack
is that your entire system becomes overwhelmed by too much traffic, and
the smaller the pipe into your organization the easier it will be to
overwhelm it. “Having excess capacity is always a good thing,” says
Householder. “But we have witnessed attacks that have taken down the
largest portals, so you are never going to have enough capacity to
handle all circumstances.”
And having a monstrous amount of bandwidth available is only any use
if your servers can handle the requests fired at them. It’s wise to
over-provision to cope with peaks in expected demand, and you may
design your infrastructure to cope with traffic which is, say, 50 or
100 per cent higher than normal levels. But during a DDoS attack
traffic may jump to a thousand times the normal levels, and who can
afford to have a thousand times the resources normally required held in
reserve in case of a DDoS attack? Even then, there would be no
guarantee that would be enough.
The Managed Hosting Option
It’s possible to make the case
that Web sites stand the best chance of surviving a DDoS attack if the
servers are sited in a large managed hosting facility. That’s because
there’s likely to be very large amounts of bandwidth, servers and other
network infrastructure available — far more than is required for your
site alone. During an attack it would be far easier to commit some of
these resources to supporting your Web presence.
“A DDoS attack overwhelms your network infrastructure, and the
smaller that is, the easier it is to overwhelm it, says Paul Froutan,
VP of Engineering at San Antonio, Texas-based managed hosting company
Rackspace. “At our facilities we have gigs of connectivity and big
switches, so we are less likely to be overwhelmed,” he says.
Of course big bandwidth means that instead of overwhelming your
network connection, a DDoS attack just overwhelms the next weak link:
your servers. Hosting companies like Rackspace also use — and share
the cost of — DDoS mitigation devices such as Cisco Guard. These spot
traffic anomalies to help detect DDoS attacks, and then divert traffic
destined to a site under attack, enabling it to be filtered so that
legitimate traffic is passed through while attack traffic is rejected.
In practice up to 90 percent of unwanted traffic can be stopped using
mitigation devices, Froutan says, giving your Web presence a good
chance of remaining visible to most, if not all, Internet users. Of
course there is nothing to stop your organization from buying its own
mitigation device, but clearly there are economies of scale to be had
when a hosting facility owns and manages one for all its customers
together. Engineers at a hosting facility are also likely to face DDoS
attacks more regularly than those at a single organization, so the
speed of response is likely to be quicker.
Grin and Bear It? Or Step Out of the Way?
There are other
measures that can be taken to mitigate the effect of an attack, and
some of these are very simple. You could rate limit your router to
prevent your Web server being overwhelmed — some legitimate traffic
would get through, which is better than no traffic at all. You could
simply take your Web server offline for the duration of the attack,
although some would argue that by doing this you are effectively doing
the DDoS attacker’s work for him, by ensuring the attack successfully
makes your server unreachable.
And there are steps you can take if you are well enough prepared.
For example, you can seek help from your upstream provider — but only
if you know who to contact and how to contact them.
So which of these measures should you take to mitigate the damage a
DDoS attack could cause? Each organization is different, and it’s
really up to you to run your own cost-benefit analysis before deciding.
One thing is for sure though: Ignoring the very real threat of DDoS
attack is likely to cost your organization dearly, both in monetary
terms and in the reputation you have with your customers.