“Distributed denial of service” (DDoS) is a generic term for any attack that works by exhausting the computing capacity, memory, or bandwidth of a victim server’s resources. DDoS attacks are one of the toughest types of attacks to mitigate because every request that is part of the attack is itself a genuine request, and the volume of requests causes the victim network to run out of resources and stopped handling any requests at all.
In the context of recent attacks on enterprise networks, the term DDoS is used very loosely and broadly. DDoS can happen at multiple levels:
- It can attack bandwidth with hundreds of gigabytes of bogus traffic that chokes the network so that legitimate traffic is blocked.
- It can exhaust the capacity of routers and switches that serve the network.
- It can overwhelm the state table of the firewalls that protect your enterprise.
Every so often you find an enterprise that is planning for “future” by over-provisioning resources but they forget that attacks are getting more sophisticated too. This is a very myopic way of addressing the problem. As soon as you get done adding more bandwidth and larger pipes to your network, you stumble onto the real weakest link, which may be the application layer itself.
Perfect examples of this would be a web server that returns pages in response to URL requests, or (even harder to detect) the DNS server that actually lets people find you on the network. From the hacker’s point of view, the best thing about application-layer attacks is that they can be smaller than generic DDoS attacks, which require the attacker to transmit several gigabytes of attack traffic. So you need specific strategies to protect against specific kinds of attack.
Jeffrey Lyon gives this excellent advice in his article, “5 DDoS defence strategies every company should know.”
Learn which attacks can be defeated with which solutions.
In order to combat increasingly sophisticated DDoS attacks, your company needs to learn what methods attackers are embracing today and continually research the most effective tools and services for addressing them. For example, you can defeat the OSI model, and Layer 3 and 4 attacks at the network and service layers with access control lists (ACLs), policies and commercially available DDoS mitigation solutions. On the other hand, you’ll need inspection by proxy to identify and fight Layer 7 attacks.
I would add this further piece of advice: Get inside your DNS servers and protect them from within.
DNS is a very attractive target for malicious parties launching DDoS attacks. Once they bring your DNS service down, they’ve brought your business to a standstill because no one can find you.
While web proxies and web application firewalls do a semi-decent job on web-based DDoS, there is really no equivalent technology on the DNS side. Granted, some modern firewalls do some protocol analysis and deep-packet inspection—but that is also the primary cause of them tipping over under a DNS amplification attack. A single amplification attack request can generate from 70 to 100 responses, so a wave of them can instantaneously exhaust your firewall’s state table, bringing down your entire network connectivity to the Internet.
The best place to thwart application-layer DDoS attacks is the applications themselves. Think DNS server that can protect itself when under attack.
Stay tuned for Part 2: DNS meets DDoS and the rest they say is history