If your business has a presence on the web, you need to know about Distributed Denial of Service (“DDoS”) attacks. DDoS attacks have become particularly notorious lately, primarily because of the highly‐publicized alleged DDoS attacks on the Wikileaks website, and the equally highly‐publicized alleged DDoS counter‐attacks on the websites of businesses perceived to have wrongfully withdrawn their support from Wikileaks. Perhaps most disturbing from a business perspective is that the counter‐attacks, which were coordinated by the hacker organization “Anonymous,” succeeded in disrupting the transactions of large, well‐established enterprises, including PayPal, Visa, and Mastercard.
Unfortunately, the Wikileaks‐related DDoS attacks were not an isolated incident. DDoS attacks, as well as simpler “Denial of Service” attacks, have been around for over a decade: in 2000, for example, a teenager launched DDoS attacks that shut down the websites of Yahoo, BestBuy, eBay, CNN, Amazon, and others. And recent reports have reached the troubling conclusion that the rate, as well of the severity, of DDoS attacks is on the rise.
But what, exactly, is a DDoS attack? Can they be prevented, or at least mitigated in some way? And are they a legitimate threat to most businesses? This article seeks to answer these questions.
What is a DDOS attack?
A Denial of Service (“DoS”) attack is essentially an effort by an attacking computer to overwhelm the processing power of the victim computer and effectively take it out of commission. A Distributed Denial of Service (“DDoS”) attack is a DoS attack that is carried out by several computers acting in concert. Both types of attacks are carried out through Internet connections between the attacker and the victim, and the victim computer is often a server hosting a website.
While there are many varieties of DoS and DDoS attacks, they can generally be categorized as one of two types: network‐based, or application‐based. In a network‐based attack, the attacker floods the victim computer with information, clogging up the victim computer’s communication lines and overwhelming the victim computer’s ability to process the flood of information. Some of the historically more common techniques include:
- Ping Floods: In this relatively simple type of attack, the attacking computer sends a flood of requests (or “pings”) to the victim computer that ask the victim computer to acknowledge that the victim computer is able to communicate with the attacker. If enough of these ping requests are sent, it can overwhelm the victim.
- Smurf or Fraggle Attacks: In these attacks, the attacking computer falsifies (or “spoofs”) its Internet Protocol address so that it appears to be the same as the victim’s computer. The attacker, posing as the victim, then sends requests to an entire network of computers seeking an acknowledgment. The entire network then sends its acknowledgment to the victim’s computer, flooding it with information.
- SYN/ACK Flood: These attacks exploit the way computers acknowledge each other when they first communicate over the Internet. The attacking computer introduces itself, pursuant to standard Internet protocol, with a “SYN” message. The computer responds with the standard “SYN‐ACK” message and waits for the attacking computer to issue the standard “ACK” acknowledgement. The attacker never issues this acknowledgement, which has the effect of making the victim computer expend its resources waiting. A flood of these mismatched communications can take the victim computer out of commission.
The second broad category of DoS and DDoS attacks is application‐based attacks. While conceptually similar in some ways to network‐based flooding attacks, application‐based attacks, as the name suggests, focus on exploiting software programs or applications on the victim computer in an attempt to make the computer crash or slow to a crawl. An attacker carrying out such a request may seek, for example, to repeatedly run resource‐intensive search requests on a victim’s search engine or database, or to repeatedly request complex and feature‐rich web pages from a server, either of which may severely tax or exceed the victim server’s capacity.
Regardless of whether a network‐based or application‐based attack is involved, DDoS attacks are often much more severe than DoS attacks. By definition, more attacking computers are involved in a DDoS attack than in a DoS attack, which generally means that the flood of information, or the number of resource‐intensive requests, to the victim computer can be that much greater.
The organized group of attacking computers used in a DDoS attack is often called a “botnet” (as in “robot network”). To assemble a botnet, an attacker often will infect the computers of unsuspecting users with malicious software that allows the attacker to remotely control those computers. The user of the infected computer often will be completely unaware that the computer has been infected. Less enterprising or technically adept attackers can simply rent botnets from the web’s black market. There also have been occasions in which botnets have consisted of volunteers who willingly allow their computers to be controlled by the DDoS attacker. This often occurs in politically‐motivated attacks, as in the Wikileaks‐related attacks coordinated by the “Anonymous” organization. The recruiting and coordination of such voluntary botnets often occurs on social media sites such as Twitter, as well as in online chat rooms.
What Can Be Done?
Unfortunately, DDoS attacks likely will continue to increase in volume and sophistication. There is an active community of attackers hard at work collaboratively developing and sharing attack techniques (run a YouTube query for “DDoS Attack Tutorial” and you will see what I mean). More and more people around the world are connecting to the Internet, giving hackers a bigger pool of potentially unprotected computers that they can hijack and use in botnets. And the anonymity of the Internet allows attackers to fairly easily remain untraceable, which frustrates the ability of the legal system to hold the attackers accountable – a problem made worse by the frequently international and multi‐jurisdictional nature of the attacks.
What can be done? Here are a few suggestions:
Evaluate The Risk: While it is clear that DDoS is a serious problem for the Internet in general, it may not be for your business in particular. If your business only has an incidental presence on the web, or does not conduct significant web‐based commerce, it may not be worth your while to spend a lot of resources establishing a DDoS defense system. For example, a company that generates revenue primarily from bricks‐and‐mortar retail sales likely would have less of a need for a robust DDoS defense than would a company that conducts nearly all of its business through web‐based sales transactions. One the other hand, if your business or organization has a high public profile, or is associated with controversial issues (political organizations, financial institutions, or defense contractors, for example), you should recognize that you may be a more likely target of an attack, including a politically‐motivated attack. A thorough and dispassionate risk assessment considering these and other factors should be the first step in any analysis of an organization’s DDoS response plan.
Know Your System: One of the hallmarks of DDoS attacks is that they flood the victim computer with information, or issue an unusually high number of resource‐intensive application requests. To recognize when you are under a DDoS attack, you need to know your typical baseline system activity – in other words, you need to know what is normal, so that you can quickly recognize what is abnormal and potentially a DDoS attack. Consider monitoring and recording your network traffic and server application activity over an extended period – a year is advisable – so that you have a good sense of what is typical activity for your organization. Further correlation of this historical information with events such as product launches, news events, or other occurrences that might explain a historical increase or decrease in your system activity could be useful in assessing what you should expect.
Establish Responsibility: A successful defense to a DDoS attack often hinges upon on the speed with which the victim can respond and implement remedial measures. It therefore is important to establish clearly‐delineated responsibilities and lines of communication among your organization’s staff. Ideally, the organization’s staff should be trained to monitor the system activity and to quickly recognize abnormalities that might signal a DDoS attack. Incident response plans should exist that include procedures to communicate to key internal staff and decision makers at all hours. Strong relationships and lines of communication also should be established beforehand with any relevant outside vendors, web hosting providers, and Internet Service Providers. These outside providers may have their own resources or procedures available to help defend against DDoS attacks, and you should endeavor to understand them in advance so that, when the time comes, you can quickly make a decision whether they should be implemented.
Hardware and Structural Defense: Of course, monitoring and having a response plan alone will do nothing to stop DoS and DDoS attacks, or lessen their severity. For that, you will need to consider hardware and structural defenses. For example, most modern network hardware can be configured to prevent Ping, Smurf/Fraggle, SYN/ACK, and similar DoS network flood attacks by rejecting or limiting the Internet traffic that characterizes those types of attacks (i.e., an unusually high number of “ping” requests from one computer, or a computer that refuses to issue the “ACK” message). Hardware‐implemented access control lists can also be used to filter out traffic from particular attacking computers.
These “limiting” or “filtering” solutions, however, are less useful in defending against DDoS attacks. Because DDoS attacks are perpetrated through several different computers acting in concert (often hundreds or thousands of them), they can confuse or circumvent measures taken to limit or filter the requests coming from a small number of specifically identified computers. Planning an adequate DDoS defense therefore should involve considering structural defenses as well – in other words, defenses that involve the manner in which a computer network, and the information it contains, is organized. Even these structural defenses, however, may have limited effectiveness in preventing or remediating the attacks.
Perhaps the simplest structural solution is to have an extraordinary amount of network capacity and processing power, so that your entity can withstand nearly any DDoS “flood.” While some larger entities can do this, for most it is simply not cost effective. More practical structural solutions can include: outsourcing to a large and well‐established hosting provider that is likely to have a larger amount of capacity and in‐house methods of addressing DDoS attacks; having a backup “mirror” website hosted at a different location that can be substituted if the primary site is under attack; implementing caching systems that substitute simpler web pages in place of complex feature‐rich pages if application resources become strained; and having a system architecture that clearly separates the “front‐end” web‐facing system from the “back end” processing systems to minimize the business effects of attacks on the web server.
Reporting: It is indisputably difficult to investigate and hold accountable those who perpetrate DoS and DDoS attacks – but it does happen. As of the date of this article, for example, there are news reports that persons suspected of being involved in the Wikileaks-related attacks have been arrested and their residences searched for evidence. If your business is victimized by such an attack, you therefore should consider forensic preservation of the system logs and related documentation. It just may be that this information could lead to the perpetrator being prosecuted.
DoS and DDoS attacks are a difficult problem. Approaching this problem effectively involves careful assessment of the risks these attacks pose to your business. If the risks warrant it, steps can be taken to implement monitoring and organizational re‐structuring that can help enable you to quickly identify and respond to an attack. Hardware and structural defenses can also be put into place that prevent, or at least potentially minimize, these attacks. Taken together, these steps may make a significant difference in your organization’s ability to carry on its business without interruption.
Jason Gonzalez is a Managing Director at Stroz Friedberg, LLC, and a former federal prosecutor. Stroz Friedberg is a consulting firm specializing in computer forensics, incident response, electronic discovery, and business intelligence and investigations.