Attacks/Breaches

7/12/2012
05:55 PM
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

How To Select A DDoS Mitigation Service

Distributed denial-of-service attacks can flare up quickly and do serious damage. Time to call in the experts?

Late last month, two members of the hacker group LulzSec pleaded guilty to launching distributed denial-of-service (DDoS) attacks against entities ranging from the state of Arizona to Nintendo to the CIA. Yet despite extensive media coverage of such attacks, chief information security officers are still surprised when their companies get hit.

This is not an unforeseeable lightning bolt from the blue, people. The cyber world is full of anonymous arsonists, and too many businesses are operating without a fire department on call. A few sprinklers won't cut it when things flare out of control. Firewalls and intrusion-prevention system appliances are no substitute for specialized DDoS backup when an attack escalates.

Proactively securing a mitigation service can be a good insurance policy--in fact, it's better than insurance, which pays off only after damage is done. That's because mitigation services are designed to prevent destruction from occurring in the first place. Not only can a mitigation service act as a deterrent--many attackers will move on to easier prey when they see an initial DDoS attack fail--but these providers have the capacity and expertise to rapidly scale DDoS countermeasures against coordinated, professional attacks. That can mean keeping your website online even under heavy bombardment.

Big And Small Companies At Risk

Denial-of-service attacks used to be something that happened to other people, those with high online visibility. Not anymore. "We've seen very small companies come to us and they can't figure out why they're under attack," says Chris Richter, VP of security products and services at Savvis. They ask, "'What have we done?'"

Blame the proliferation of prepackaged DDoS toolkits, such as the Low Orbit Ion Cannon and Dirt Jumper, for the fact that no one's safe. Like any brute-force tactic, DDoS relies on the fact that any attack, even the most rudimentary, repeated with sufficient volume and frequency, can effectively shut down a network or website. Botnets often span thousands or millions of systems worldwide; Akamai, for example, provides a real-time attack heat map. In early July, attack rates were almost 30% above normal, with hot spots in Delaware and Italy. Geographic dispersion, coupled with network traffic crafted to look like legitimate connections from normal users, makes DDoS attacks both extremely effective and difficult to defeat if you're not an expert with the right tools.

There are three main distributed denial-of-service categories:

>> Volumetric attacks overwhelm WAN circuits with tens of gigabits per second of meaningless traffic--so-called ICMP or UDP floods.

DDoS By The Numbers
10 Maximum sentence in years on second conviction under U.S. Computer Fraud and Abuse Act (PDF).
$5K CFAA threshold for damages to constitute a felony.
$240K Average cost, in revenue per day, of an attack for 65% of 1,000 respondents to a Neustar poll (PDF).
25% Increase in DDoS attacks for 1Q 2012 over 1Q 2011, according to Prolexic's most recent Attack Report (PDF).

>> Layer 3 attacks abuse TCP. For example, SYN floods overload network equipment by starting but never completing thousands of TCP sessions using forged sender addresses. SYN floods can be in excess of 1 million packets per second, largely in response to the wider deployment of hardware countermeasures on firewalls and other security appliances, says Neal Quinn, COO of DDoS mitigation specialist Prolexic.

>> Layer 7 floods use HTTP GET or POST requests to overload application and Web servers. From the attacker's perspective, L7 exploits aren't anonymous. The attacking client's identity (IP address) is exposed because a TCP handshake must be completed. Attackers who use this approach consider the risk outweighed by the technique's effectiveness at much lower volumes and the traffic's stealthy nature. Requests are designed to look like normal Web traffic, factors that make L7 attacks hard to detect.

Our InformationWeek 2012 Strategic Security Survey shows that the increasing sophistication of threats is the most-cited reason for worry among respondents who say their orgs are more vulnerable now than in 2011, and L7 attacks are certainly sophisticated. They're also getting more common: Mark Teolis, founder and CEO of DOSarrest, a DDoS mitigation service, says 85% of the attacks his company sees have a Layer 7 component. Attackers leveraging L7 are often developers; they may do some reconnaissance on a website, looking for page requests that aren't cacheable and are very CPU-intensive--things like filling a shopping cart, searching a database, or posting a complex form.

Teolis says that a mere 2 to 3 Mbps increase in specially crafted L7 traffic can be crippling. "We've had gaming sites tell us they can handle 30,000 customers, but if 100 hit this one thing, it'll bring down the entire site," he says.

Layer 7 attacks are tough to defeat not only because the incremental traffic is minimal, but because it mimics normal user behavior. Teolis has seen attacks where an individual bot may hit a site only once or twice an hour--but there are 20,000 bots involved. Conventional network security appliances just can't handle that kind of scenario. And meanwhile, legitimate customers can't reach your site.

Why a DDoS Mitigation Service Could Save Your Assets

Our full report on DDoS mitigation services is free with registration.

This report includes 17 pages of action-oriented analysis. What you'll find:
  • Ways to detect when you're under attack
  • Insights into top security threats for enterprises and federal cybersecurity pros
Get This And All Our Reports


Kurt Marko is an InformationWeek and Network Computing contributor and IT industry veteran, pursuing his passion for communications after a varied career that has spanned virtually the entire high-tech food chain from chips to systems. Upon graduating from Stanford University ... View Full Bio

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KanishkT23
50%
50%
KanishkT23,
User Rank: Apprentice
3/14/2017 | 7:41:13 AM
Pending Review
This comment is waiting for review by our moderators.
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
4/5/2013 | 5:20:48 AM
re: How To Select A DDoS Mitigation Service
DNS queries/replies come in/go out on UDP port 80.
Here's what we do in the firewall:
block in on e1000g0 proto udp all
pass in on e1000g0 proto udp from our.dns.server1/32
pass in on e1000g0 proto udp from our.dns.server2/32
etc
pass in on e1000g0 proto udp from our.xdmcp.client/32
-
P.S.
50%
50%
P.S.,
User Rank: Apprentice
12/26/2012 | 3:22:55 PM
re: How To Select A DDoS Mitigation Service
Read this explanation about IPtables DDOS protection : http://www.incapsula.com/ddos/...
They say that its not advised but it works as long as you don't care about blocking some legit users.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18643
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
CVE-2018-19359
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
CVE-2019-11488
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in SimplyBook.me Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
CVE-2019-11489
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in SimplyBook.me Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
CVE-2019-3720
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...