Distributed denial-of-service (DDoS) attacks first made the news in December of 1999 with the release of the botnet-based DDoS toolkit called trin00. Toolkits continue to evolve, but the core approach remains the same: muster dozens, hundreds or thousands of geographically dispersed hosts to bombard servers with bogus requests so they are so overwhelmed they cannot address the legitimate requests. Since the attack type was born, vendors have been trying to develop products that effectively thwart DDoS.
DDoS is difficult to defend against for at least three reasons.
First, there is no vulnerability to exploit. The attack is successful because it is the nature of all computing platforms to have some threshold of delivery. Computers, clusters and the cloud all have physical limitations as to how many requests they can respond to at a given time. A successful DDoS only needs to generate enough traffic to exceed that threshold. Many other attack vectors can be protected against through patching, security configuration or policy change. None of these approaches can be used for DDoS prevention. The service need only be made available for it to be vulnerable to attack.
The second issue is that DDoS attacks are difficult to block. There are many different attack sources. This causes the initial problem of being able to effectively block a long list of attacker IP addresses. Potentially thousands of addresses would need to be temporarily added to a blacklist to stop the attack. If an attacker crafts requests to the server posing as a legitimate host (spoofing), the blacklisting may deny service to valid users.
This brings us to the third challenge: it is difficult to sift through which users are making valid requests and which are participating in the DDoS. Since all computers accessing services are creating load on the server, they are all contributing to the denial of service. Careful inspection is necessary to determine whether client hosts are of the good or bad type. A lot of calculation needs to be done quickly before any decisions can be made.
The recent bout of DDoS attacks have left managers scratching their heads as to why DDoS prevention mechanisms failed to work. In my last blog entry, I discussed the importance of surveillance in conjunction with enforcement. DDoS is no different. No matter how sound a protection mechanism is, if attackers are given an indefinite amount of time to breach it, they will succeed.
Attackers are becoming better funded and more sophisticated than ever before. They are able to purchase the same enforcement/prevention mechanisms in place within enterprises and begin crafting circumvention techniques to thwart them. Distribution channels and botnets make it easy to deploy advanced DDoS toolkits quickly. The role of surveillance becomes critical in understanding how attackers were able to succeed.
Lancope’s StealthWatch System is an industry-leading, network-based anomaly detection system. StealthWatch builds baselines of normal traffic on every network host, grouping of hosts and relationships between hosts. This approach allows StealthWatch to provide alarms for the following DDoS related conditions:
DDoS is one of the few attack types that an organization without proper network surveillance will actually know about (as customers call to complain). However, without intelligent network monitoring, responding to the event becomes nearly impossible. DDoS is a concerning type of attack that continues to cripple organizations. The continued evolution of DDoS toolsets and their wide distribution through hacktivists and botnet-controlled machines requires not only mitigation solutions, but also network visibility that can make sense out of the fog that rises during a denial-of-service attack.