Defending Against DDoS Attacks
Distributed denial of service (DDoS) attacks—in which a Web site is bombarded with such a volume of traffic that legitimate users can’t access it—are on the rise. The frequency, size, and scale of DDoS attacks have been consistently increasing. A quarterly threat report by Prolexic, a DDoS mitigation service provider, showed that in the first part of 2013, the average attack strength skyrocketed from 5.9 Gbps (gigabits per second, which is the measurement of the speed of the number of pings or traffic hitting the site) to 48.25 Gbps. In the most recent Prolexic quarterly report, that number rose again to 49.24 Gbps, suggesting the larger attacks may be here to stay. And some attacks have gone well above those average numbers. In March, one of the largest DDoS attacks ever seen on the Internet at 300 Gbps was launched against Spamhaus, an anti-spam service.
A 2013 Global Security Report by Trustwave showed DDoS activity was up 9 percent from 2011 to 2012. The Trustwave report found that these attacks most often target Web domains related to government, finance, hosting providers, media, and politics.
Stephen Cobb, who works at Web security solutions provider ESET, explains how a DDoS works. First, a basic denial of service type of attack “takes advantage of a protocol in which you say ‘hello’ to the server, and the server says, ‘hello, what’s your name?’ and you don’t reply,” says Cobb. “So the servers are waiting and waiting, and [if the same computer submits that request over and over, it floods the server until] it just can’t perform.”
He says DDoS is the distributed form of this attack; it is simply a multiplication of that effort. “All that means is it’s not just one machine carrying out the attack, it’s a number of machines,” he says. “And so somebody has coordinated multiple machines which have denial of service software on there to carry out the attack.”
Typically, these are so-called zombie machines, or botnets, that have been commandeered without the owners’ knowledge. Cobb says the latest development in DDoS is the use of Web servers as botnets, rather than individual computers. “The classic botnet is laptops and desktops on which a bad guy has his code,” he says. That code then “calls home” to command and control. “The command and control machine is in the hands of the bad guy, and he can orchestrate this army of machines remotely,” Cobb explains. “The same thing is now done with Web servers,” he says. “The bad guy gets his code onto the Web server, and then can orchestrate multiple Web servers to carry out the attack.”
This is a significant shift, which ultimately could allow the hackers to do more damage, because “Web servers are designed to be always on, and they sit on very good bandwidth,” Cobb explains. “Bandwidth is important in most DDoS attacks because that’s the constraining factor in how much garbage you can send at your target.”
In addition, “What the bad guys found with the classic PC/laptop attack was that more and more people are turning those machines off when they don’t use them,” Cobb says. “So that’s not so good for a DDoS attack, because you may think you have a thousand machines out there under your control, and you do, but if half of them are asleep, you can’t deliver so much attack bandwidth.”
This migration to Web servers also means that a company’s server, if it is hijacked, might end up on a blacklist by Internet watchdog groups like StopBadware.com. The company’s Web site could end up being taken offline. So companies need to protect their systems not only against attack but also against being used unwittingly to launch attacks.
Lance James is head of intelligence at Vigilant, a cybersecurity solutions provider which was recently acquired by Deloitte. He says the hijacking of Web servers to attack other sites just amplifies the level of harm a hacker can do.
DDoS attacks are becoming simpler to carry out, and virtually anyone who knows where to find the resources can orchestrate, or have someone else orchestrate, an attack. “It’s actually done usually by a service. We see a lot of these kids, they buy a service or they buy a tool, and they can rent a service to allow them to attack sites,” he says.
While it is not yet possible to keep hackers from directing a deluge of traffic at a company, it is possible to have a defensive solution in place ready to respond when that happens. A company can, for example, enroll in a DDoS mitigation service like CloudFlare. CloudFlare is designed to protect against DDoS attacks by rerouting all the bad traffic coming to a Web site elsewhere. It has the space to actually absorb that bad traffic by buying up tons of bandwidth on networks all over the world. “And we’re growing that at about 20 percent month over month, so it’s getting bigger and bigger and bigger, just because we’re getting more and more customers coming to us,” says Matthew Prince, CEO and cofounder of the service. “We’ve had some high-profile attacks that have hit our system, and there hasn’t been one yet—knock on wood—that we haven’t been able to stop.”
CloudFlare classifies different DDoS attacks into three groups based on the nature of the attack. They are labeled layer 3, layer 4, and layer 7 attacks.
“What a layer 3 attack does is it sends so much traffic to one of those ports that it’s more than the port can physically handle. And so if you’re a business and your Web site is connected with a 1-gigabit connection to the Internet, if someone sends you 1.1 gigabits of traffic or 2 gigabits of traffic, then you’re offline” says Prince.
Layer 4 attacks “go for a high volume of very small packets,” Prince says. “And so they typically aren’t enough to overwhelm a port, but they hit the operating system, and the operating system has to acknowledge every single one of these requests [which can create] bottlenecks that keep the legitimate requests from coming through.”
Layer 7 attacks consume the server’s resources by forcing the application to hold open the connection. “If you open 100,000 connections, and you hold them all open and then just trickle a little data across each of them…you overwhelm the total number of connections that the Web server can actually accommodate,” Prince says.
Implementing the solution is easy. “We don’t ask any of our customers to change anything about their existing infrastructure. So you don’t have to install any hardware, and you don’t have to install any software, because hardware and software are things that fail when you’re under these types of attacks,” says Prince. “Instead, we sit at the edge of the network and are in front of all these [spoof] requests.”
Prince says that the company has Web site customers of all sizes, ranging from personal blogs to Fortune 500 companies’ sites. Some customers are being proactive when they seek the service, but some have called to sign up for CloudFlare while under a DDoS attack. “When you sign up, it will instantly stop that attack, and then the site immediately comes right back online,” he says, noting that this method is “almost always” successful.
CloudFlare offers four plans, including a free plan that gives customers basic DDoS mitigation protection. As end users move up the pay scale, they can receive customized packages and a guarantee that their Web site is “always up,” or available to those wishing to access it. The most expensive plan, the Enterprise package, offers advanced DDoS mitigation services; it starts out at $3,000 per month and includes 24/7 phone support service and a certified account manager.
The system learns as it encounters each new attack, and this benefits the entire customer base. Prince says with layer 3 and layer 4 attacks, “we stop 100 percent of packets from ever reaching our customers whether we've ever seen the attack before or not.”
But with layer 7 attacks, Prince says, there is a chance some of the packets may reach the customer because the attacks are specific to a customer’s application. “In the worst case, if there is a totally new attack, the system may let it through for a few seconds and then pick up the pattern and begin blocking the attack. However, once the blocking has begun, we're typically able to filter out the vast majority, if not all, of the attack,” he notes.
There are other companies that offer DDoS mitigation services, among them Cisco. One of Cisco’s mitigation products is the Guard XT 5650, an Ethernet interface that can monitor up to 1 Gbps of traffic per unit. The Guard XT can be combined with other Cisco products. These include the Traffic Anomaly Detector XT, which initially detects the presence of a DDoS attack. One technique used by Cisco to stop an attack once it is detected is called rate limiting. Rate limiting identifies offending traffic and limits the amount of bandwidth a server allows it to consume, as opposed to the technique of rerouting the traffic altogether. Cisco uses other techniques as well.