DDoS Attack and Its Defense

Transcription

1 DDoS Attack and Its Defense 1 DDoS attacks are weapons of mass disruption. The DDoS attack has long been a big main threat to security of the Internet. It is not expensive and easy to be used for achieving goals; thus it is very popular in attackers. So either an Internet corporation or traditional corporation, they are facing the threat of DDoS attacks once they are doing business on the Internet. The report of survey for Q1 of 2012 from Neustar, a world-famous analysis agency, stated that almost one third of corporations have suffered DDoS attacks and almost half of corporations lost over 10 thousand Dollars per hour when their businesses were interrupted. The retail industry suffered the most, with 67 percent of corporations lost over 100 thousand Dollars per hour. Figure-1 Ratio of industry victims under DDoS attacks 1 2 The motives of launching DDoS attacks are publicity and Profit. DDoS attacks are driven by the motives of publicity and Profit. Publicity means the black hats (indicating attackers who intend to launch destructive activities) create incidents to socially-influenced corporations and organizations through DDoS attacks for declaring where they stand on a point or showing off their abilities. These incidents with this kind of motive always attract the public s attentions and are reported by major news services. Take the Iran s cyber battle in 2009 as the example. The opposition supporters launched a series of DDoS attacks to many websites supporting Nejad, Iranian s president websites and other Tehran regime s government websites. There is another example: in December 2012, the Anonymous avenged PayPal, 1 Neustar Insights: DDoS Survey Q1 2012, When Businesses Go Dark. Neustar, 2012

2 MasterCard, Visa, and several e-banking websites that have cut off services to WikiLeaks by overloading them with DDoS attacks to express their sympathy to the WikiLeaks. Profit indicates profit-driven attacks like racketeering. Most DDoS attacks launched for racketeering are unknown to the public, unless they bring very severe results. The criminal syndicate uses DDoS attacks to obtain commissions (by attacking websites of the hire s competitors), extort money from victims, or blackmail the victims into giving up advertising proxy. Figure-2 Attack motives 3 It s a long battle between DDoS attacks and DDoS defense. The source of DDoS attacks is hard to be eradicated. Because DDoS attacks technically exploit the inherent and extremely concealed bugs of the Internet, most of attacks sources are hard to be traced relying on techniques. Even the attacker exposed his identity in racketeering, for example, it is also very hard to locate the real attack sources and stop the DDoS attack. From the view of deployment, DDoS attacks are also not easy to trace. Generally, the deployment of DDoS attacks is divided into three layers: attacker s host, controllers (the hosts controlled by the attacker), and the attack zombies. The attacker sends attack directives to the controllers and the controllers forward the directives to the attack zombies. As shown in the figure below we can see that to find the attacker s IP address and geo-location needs to trace three levels. But in the real environments, the controllers and the attack zombies are located in different places, even in different countries. That is nearly impossible to find out the DDoS sources.

3 Figuer-3 DDoS attack process The anti-tracing function in DoS tools makes attack sources more difficult to be traced. First of all, 70 percent of DDoS attacks exploit fake source IP addresses, with which it is impossible to find the attack zombies. Then, Fast-Flux Service Networks (FFSN) is widely used in DDoS tools, making the controllers and the attack zombies connected very shortly. The attack zombies replace the controllers in every several milliseconds; thus it is hard to trace the controllers. Finally, because the attacker uses anonymous proxy to connect the controllers, it is also very hard to locate the attacker s host. Anyway, the concealing characteristic in DDoS attack tools greatly increases the difficulty in finding hackers. The DDoS attacks cannot be eradicated in a short time and there must be a long battle between DDoS attacks and DDoS defense. 4 The key factor to win the battle between DDoS attacks and defense is the operators. In the battle between DDoS attacks and DDoS defense, what the corporation is facing is not a pile of DDoS attack packets, neither DDoS attack tools, but the operators controlling the DDoS attacks. That is to say, it s the people who are the main part in the battle. The prevention capability on the target-side of a DDoS attack determines who will be the winner in the battle. That s why we say the operator is the most important factor. In a DDoS attack, the first thing we should do is to know the attack method, namely, which its target is and what type the attack is. Different attack methods determine different signatures in attack traffic; thus we can find proper prevention solutions. For example, the common Syn Flood is the attack targeting servers. It is always used to exhaust connection resources of servers so as to cause the intended access unable to be connected with the server. For this kind of attacks, the countermeasure is usually to set the SynCookie. UDP Flood and Ping Flood are always used to congest the bandwidth, making the intended access unable to reach the server. Access Control List (ACL) is the common countermeasure to these attacks. Besides the proper countermeasures, a prevention operator should provide right solutions and quick installation after having identified the DDoS targets and attack types. In short, good security operation staffs in a corporation should have the following knowledge and skills:

4 Closely following up types, characteristics and prevention methods of DDoS attacks; Good expertise in the use of traffic analysis tools and good knowledge on recognizing attack signatures (for example, signatures of captured packets ); Good knowledge on the protected business structure and its network deployment; Good expertise in operating DDoS prevention devices. 5 Stop DDoS attacks before they stop you. If we want to reduce the losses brought by DDoS attacks to the minimal, it is not enough to prepare the countermeasures when they are coming, but we should get prepared to prevent them when they are still the potentials. The first thing we should do is to evaluate the probability of a DDoS attack and the potential losses might bring by it. Based on the assessment results we make a reasonable budget for the protection. Here we adopt a model recommended by Yankee, an international authority: Losses = turnover loss + brand loss + costs for wasted resources Take the e-business as an example. If the turnover of an e-business corporation is USD 365 million in a year, averagely USD 1 million each day, the loss in business interruption caused by the DDoS attacks will be USD 1 million. If the average total gross is 30 percent and the operation cost for one day is USD 700 thousand, the costs for wasted resources will be USD 700 thousand. If the business interruption affects the brand and lead to 2 orders lost, the brand loss will be USD 730 thousand. That is to say, the DDoS attack may cause about UDS 2.43 million lost. After the risk assessment and budget plan, the next thing we should do is to identify the critical targets we need to protect. This is very important in DDoS attacks prevention. We should clear the core assets related to the business, such as the billing server, login server, DNS server, and bandwidth. Prepare corresponding prevention solutions according to attack types these targets might face in advance. Based on the feedback from technical support department in responding DDoS attacks in the past two years, we found that the following types of DDoS attacks can be the reference in prevention: Attacks targeting servers: HTTP Get attacks, SYN Flood attacks, and Connection Flood attacks; Attacks targeting DNS: DNS Query Flood; Attacks targeting bandwidth: UDP Flood and ICMP Flood. 6 Security prevention services will be a popular option. As the cloud computing is widely used in many applications, more and more security corporations will launch their SaaS-based security services. Some security vendors and telecom carriers have begun to provide managed DDoS protection services and solutions for corporations. Different from the traditional DDoS protection products, the managed DDoS protection service or solution delivers not only a DDoS protection tool, but also the capability of preventing DDoS attacks. This kind of service or solution will help corporations prevent DDoS attacks faster and more efficiently. We believe that more corporations will choose the managed DDoS protection service in future.

5 For more information For more information about products and services, please contact the sales For more information visit Website: is the trademark of Information Technology Co., Ltd. enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of, any individual or institution shall be prohibited to copy or quote any section herein in any way. About APAC is a proven global leader in active U.S. perimeter network security for service Japan providers, data centers, and corporations. It focuses on providing TEL: network security 6638 solutions including: carrier-grade Anti-DDoS System, Web [email protected] Application Firewall, and Network Intrusion Prevention System - all designed to help customers secure their networks and corporate-critical information. More detailed information is available at