DDoS attacks are a part of life in the world of the Web. You’ll never be totally immune, but there are steps you can take to mitigate any threats.
On Dec. 8, 2010, a group of hackers launched Distributed Denial of Service (DDoS) attacks against the Visa and PayPal Web servers. Another incident occurred at approximately the same time, during which hackers hit the official Web site of the Swedish government. These attacks were largely successful. All services offered by these sites were severely disrupted.
If major corporations like Visa that operate on a global level can’t prevent these attacks, can governments and government agencies stop such attacks on their Web servers? The simple answer is “no”—or, perhaps, “probably not.”
To understand why these types of attacks are so difficult to defend against, consider precisely what a DDoS attack is and how it differs from a Denial of Service (DoS) attack. Then you can consider the steps you’ll need to take to prepare and insulate your infrastructure against such attacks.
One limitation computers share is a maximum number of simultaneous connections. At any one time, there can be no more than 65,535 connections made to a Windows-based PC or server. This is an interesting limitation, and one that takes on special significance, as it provides the basis for a standard DoS attack.
If a hacker, or group of hackers, can sustain 65,535 concurrent sessions to a server, they’ll effectively deny that service to anyone else. No one else will be able to connect until some of those connections are dropped. Once a Web server attains that threshold, it can sustain no more connections—hence the denial of service.
Generally speaking, there are two types of DoS attacks. Some are intended to crash the system (such as the “ping of death”). Others are intended to flood the system with requests for resources (bandwidth, processor time, disk space and so on). Both are potentially devastating in their own way.
You can configure your routers to not respond to ping requests or broadcasts and to not forward packets directed to broadcast addresses. Modern IP-filtering appliances are now smart enough to mitigate these threats by dropping any ping larger than a set amount. They can also be set to allow a limited number of simultaneous connections from any single IP address.
Limiting the amount of simultaneous connections is effective against DoS flood attacks if the limit is set low—something like five or six connections, for example. To generate sufficient resource requests would mean that there would need to be a very high number of hackers involved—more than could be organized into one group. Because of this, DoS hackers have had to find an alternative.
DDoS attacks let hackers get around this restriction. In a DDoS attack, the hackers aren’t sending the DoS attack from their own PC. Instead, they use a network of PCs upon which they’ve managed to place a “zombie agent.” This lets them use those PCs to fire off the DDoS attack (known as a botnet). One hacker could be in control of several thousand “zombie agents,” each getting five or six connections to a Web server without the PC owner even being aware that it’s happening.
A small group of hackers, acting in concert, could easily deny access for any legitimate user or crash an entire system. Current IP-filtering technology can’t prevent these types of attacks, so is there anything we can do?
There are mitigating steps (along with reasons why they won’t likely work):
DDoS attacks happen. Even governments aren’t immune. In the summer of 2010, the Irish Central Applications Office server was hit by a DDoS attack. In 2009, during the Iranian elections, the official Web site of the Iranian government was attacked and made inaccessible. In 2001, the Irish Government’s Department of Finance server was hit by a DDoS attack.
There’s no foolproof method to prevent a DDoS attack at present. However, for mission-critical Web services, you need to do something—and sitting on your hands waiting for an attack is not an option. You just have to decide what the best strategy is to protect your organization.
Will Hogan is the vice president of sales and marketing for Idappcom Ltd., developers of Traffic IQ Professional.