DDoS, is a hot concern right now across the IT and security sector. I can tell this by the number of inquiries to my consulting business, discussions on social media and the number of vendor contacts I am getting.
What is DDoS?
DDoS, or Distributed Denial of Service is the evil cousin of a Denial of Service (DoS) attack. Both have a single purpose, to annoy you and bring your site or service off-line.
A DoS is “any action, or series of actions, that prevents a system, or its resources, from functioning in accordance with its intended purpose.” (All In One CISSP Exam Guide – Harris). This is obviously a broad definition that could include anything from a deliberate power outage to a computer pinging a server to death. I like to add some additional criteria to the definition of DoS. The services or resource is not available, but no other harm is coming to the service or resource. And the source of the DoS is a single source. For example, if a DoS is forced upon a website by a single computer or network and the server is still functioning but no one can see it.
A portion of that additional criteria for a DoS sets it apart from the DDoS. A Distributed Denial of Service (DDoS) is essentially the same thing as a DoS except it is from multiple, and sometimes (frequently, or maybe always) simultaneous sources.
How do they get Multiple Computers to Attack me?
DDoS occurs as a result of multiple computers attacking your service (website). Frequently these attacks come from hundreds if not thousands of computers, not one or two. The idea is that many computers, simultaneously attacking your services or site will flood your Internet connection or cause resource over utilization on the server hosting your services. It simply brings the service to its knees.
How in the world can one attacker get access to that many computers to attack me? It is usually done by the infection of many computers by viruses. These arrive on the attacking computer, most frequently, via trojan’s in email or by visiting a website that is infected. Once infected, the source computer becomes a robot, or “bot” in a world wide network of attackers. These “bots” then await their command to attack.
Who controls the Bot?
Nefarious people control the bots. Some bots are owned by attackers and they maintain tight control of them, using them for their own purposes only. Believe it or not, there are DDoS-for-hire services out there that take orders like any other business. Anyone that is willing to pay can control the DDoS-for-hire bot. A kid that doesn’t like his high school can literally rent the services for a period of time. Once the payments are made and attack is scheduled, the Bot commander issues the attack criteria to the bots and they begin attacking at the time specified and for the duration purchased.
How long do DDoS Attacks Last?
However long the bot commander desires is how long the attack lasts. Most attacks occur for just a few minutes (the average I see is 2-5 minutes). But be careful in relying upon my experience. Some can last hours or days. A cloud service provider recently was the victim of an attack for ten days or more.
How big are DDoS attacks?
Each one is different and depends upon lots of factors. If your Internet connection is only a 100Mb connection, an 50, 75 or 100Mb attack will have impact upon your services. In my current scenario, the most impactful DDoS scenarios I have seen have been 8-15Gb per second and sustained for 2-5 minutes.
Why would they Attack Me?
There is no one reason why a DDoS occurs. With the DDoS-for-hire services, any customer that feels they have been wronged, a disgruntled employee, a (you fill in the blank), can launch an attack against your site or service. Most frequently it is a “hactivist” effort. A “hactivist” is someone that has a cause and they attack to make a political or otherwise statement. So, the question of why they would attack your site is something you may have to answer. Did you present an opinion that ruffled some feathers? Has your company taken a political stand through donations or other communications? The list can go on and it could be as simple as some kid in town wanted to play around with you.
How do you stop a DDoS?
Notice that the question is how to stop the attacks and not how to prevent the attacks. You cannot prevent an a DDoS attack in the traditional sense. These attacks come from all over the world and cannot be controlled at the launch point. The only defense is to stop the attack at a point that it does not impact you. Here are a few ways to stop the attack, or mitigate the attack.
- Talk to your Internet service provider and see what “upstream” defenses they have. Many Internet providers are starting to put in detection systems that can then block IP’s or bandwidth throttle the traffic coming from that site. The U.S. federal government has established a “Trusted Internet Connection” program for their own systems with four provider companies (AT&T, CenturyLink, Sprint and Verizon). You may be able to leverage these services, but of course at a cost. In my opinion, this is the best place and service to utilize to defend against DDoS scenarios because the DDoS never hits your network.
- Content Delivery Network (CDN) services such as CloudFlare and EdgeCast were designed to place static site content closer to the end user and therefore make websites fast. A byproduct of this service is that these distributed scenarios can and do effectively absorb much of a DDoS attack. The problem with these systems vs the upstream defenses above is that if the attack is directed at an IP vs a URL, the attack will still impact your site and services. This is probably my second choice for defense.
- Specialized Appliance systems or services that are placed at the perimeter of your network can detect and discard potential attacks. These systems look for patterns and inspect the packets. If a signature is met, they packet is discarded.
- Intrusion Protection Systems can also act as DDoS protection systems much like the appliances above. In fact, most appliances are IPS systems that are specialized and focused on a DDoS specific attack. An IPS should be in your network anyway.
- Firewalls can be used to deflect attacks. However, most attacks occur over port 80 and 443 (web and web secure). If that occurs, the firewall may be useless in killing an attack.
- Get Law Enforcement involved. If the attack is sustained, consistent or repeatable it may be time to get the big boys involved. You can contact them at this website https://www.fbi.gov/report-threats-and-crime.
- Over subscribe to bandwidth. One of the cheapest ways to handle these issues is to simply have more bandwidth than you really need. If you do, then you may be able to sustain a DDoS without even knowing it occurred.
- Work with your hosting provider to see what they have available. Many hosting providers have detection and “prevention” services.
- Attack back has been a favorite historical tactic. This is not a good idea because it lets the attack know you are after them, causing a feud, and in a DDoS scenario attacking back at potentially thousands of sources is practically impossible.
DDoS is a fact of life in the Internet world and the only way to “fix” the problem is prepare by developing a plan to minimize the impact upon your services or site. That plan is specific to your environment and services. It would include a risk assessment and would include asking the question, how long can your site be out of service? If you need assistance with this, please send us an email and let us know. We would be happy to help you work through this problem.