Vulnerabilities / Threats
2/7/2012
01:53 PM
50%
50%

10 Strategies To Fight Anonymous DDoS Attacks

Preventing distributed denial of service attacks may be impossible. But with advance planning, they can be mitigated and stopped. Learn where to begin.

4. Secure potential bottlenecks.
Which parts of the corporate network can become a bottleneck or weak link in a DDoS attack? A survey by Radware of 135 people with information security expertise--including IT managers as well as CIOs and CISOs--found that the bottlenecks they'd experienced included the server under attack (for 30%), their Internet pipe (27%), a firewall (24%), an intrusion prevention or detection system (8%), a SQL server (5%), or a load balancer (4%). For example, Sergey Shekyan, a Web application vulnerability scanner developer at Qualys, reported that he was able to DDoS a Squid proxy server using the free slowhttptest tool with slow read DDoS attack support. That's because while the server was theoretically able to handle 60,000 concurrent connections per minute, it had been misconfigured to only allow 1,024 open file descriptors at a time.

5. Watch what's happening on the network.
If prevention--including securing infrastructure and making sure it can reasonably scale to handle sharp increases in packet traffic--is the first step, the second is actively monitoring the network. "If the enterprise doesn't have visibility into their network traffic so they can exert control over the traffic, then they have a problem," said Dobbins.

6. Look beyond large attacks.
Historically, the most popular type of DDoS attack--and the one most used by Anonymous--has been a packet flood. The concept is simple: direct so many packets at a website that its servers buckle under the pressure. But not all effective DDoS attacks unload untold numbers of packets. Notably, a study by Radware of 40 DDoS attacks from 2011 found that only 9% involved more than 10 Gbps of bandwidth, while 76% involved less than 1 Gbps.

7. Beware application-layer attacks.
Attacks that eschew packet quantity for taking out a switch or application can unfortunately be quite difficult to detect. According to Radware's report, "it is much easier to detect and block a network flood attack--which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods, and TCP floods, typically spoofed--rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions."

8. Watch for blended attacks.
Detection can get even trickier when attackers start targeting more than one application at a time, perhaps together with a packet flood. "Attackers are often likely to combine both packet flooding attacks with application-layer DDoS, to increase their odds of success," according to the Radware report. "The majority of organizations, which are targeted by sub-1-Gbps attacks, are targeted with a mix of network and application flood attacks."

9. Make upstream friends.
Large attacks can overwhelm even the largest enterprise network. "Work very closely with [your] Internet service provider--or for multinationals, providers--to successfully deal with these attacks," said Arbor's Dobbins. Build relationships and lines of communication in advance. "At 4 a.m., if there is a DDoS attack, it's not the time you want to be scrambling around trying to reconfigure your infrastructure, and finding who call at your ISP," he said.

10. Consider countermeasures.
While the legality of certain types of attack countermeasures is an open question, Radware said that network gear may be able to automatically mitigate suspected DDoS attacks. For example, it can silently drop questionable packets, or send a TCP reply to the attacker that advertises "window size equals 0," which says that for the time being, no new data can be received. "Legitimate clients generally respect this and will suspend their communication for the time being," according to Radware's report. "It seems that some attackers also honor this message and suspend the attack until a new, larger window size is advertised, which of course the site being attacked has no intention of doing."

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrRo
50%
50%
DrRo,
User Rank: Apprentice
3/16/2015 | 12:18:46 PM
Re: No real information
I would like to point out that YOU came to THIS article 2 YEARS after it was posted. In the IT field, it's pretty much Rule-of-Thumb that unless it was posted today it most likely isn't relevant. The fault here isn't as much with the author as it is with you. Yes he provided some AMAZINGLY useless information. I mean seriously he named this article "10 Strategies to fight Anonymous DDoS Attacks" and then rode Anonymous's d*** for the entire thing and gave us no actualy strategy to actually fight these attacks. Considering all of that, I still think your comment was stupid and needless since you completely ignored the date it was published.

Let's hope you put more thought into your work than you do your commenting.
socratessaysno
50%
50%
socratessaysno,
User Rank: Apprentice
12/13/2014 | 2:20:24 AM
No real information
From what I've seen, the article did absolutely NOTHING on actually providing any worthwhile or relevent information beyond failing horribly at trying to sound helpful.


After reading the comments, this website should fire the author of this article and fill it in with the comments. Going to try a few of them out on myself and see which ones I like best. The commenters were more helpful than this garbage article. I didn't realize we needed to be told how to use common sense.
Ogara7
50%
50%
Ogara7,
User Rank: Apprentice
2/2/2014 | 4:13:13 AM
re: 10 Strategies To Fight Anonymous DDoS Attacks
My friend got a guy to dodos my minecraft server too... I managed to talk to him nd calm the situation down but I'm still concerned. My PC is 4 years old! It will never survive!
KyleT412
50%
50%
KyleT412,
User Rank: Apprentice
7/21/2013 | 5:44:20 AM
re: 10 Strategies To Fight Anonymous DDoS Attacks
I need a trick FAST. Apparently Anon is going to DdoS me on Monday D:. I own a minecraft server and they came on and fucked it up so i DdoSed him for 5mins. He said they will DdoS me and fry my router OR I have to pay them $800. And im 14 soooo ya.
seoarcher
50%
50%
seoarcher,
User Rank: Apprentice
1/26/2013 | 4:18:43 AM
re: 10 Strategies To Fight Anonymous DDoS Attacks
I also forgot to mention it is running php on a windows machine co .htaccess blocking will not work. I post some info here also http://www.seoarcher.com .
seoarcher
50%
50%
seoarcher,
User Rank: Apprentice
1/26/2013 | 4:14:59 AM
re: 10 Strategies To Fight Anonymous DDoS Attacks
My http://www.seoarcher.com website is suffering badly by a DoS attack. The user is changing ips daily so its hard to stop. Any help . pleasee...
jeandebogue
50%
50%
jeandebogue,
User Rank: Apprentice
11/28/2012 | 6:04:55 PM
re: 10 Strategies To Fight Anonymous DDoS Attacks
It's because there is a trick to block the traffic before it reaches you. In fact there are more than just 1 trick.

If you are curious let me know and I'll let you know what it is.
Juffe
50%
50%
Juffe,
User Rank: Apprentice
10/3/2012 | 9:46:46 AM
re: 10 Strategies To Fight Anonymous DDoS Attacks
You should also keep a close eye on the security logs for unknown username / password login attempts since they also consume CPU / RAM to manage.. When it comes to Windows servers I personally recommend having a look at Syspeace ( http://www.syspeace.com ) and for Linux fail2ban. Also consider redirecting 404 and 403 errors on webservers to somewhere else, to Google or 127.0.0.1 or something ..
davesg
50%
50%
davesg,
User Rank: Apprentice
2/8/2012 | 7:38:55 PM
re: 10 Strategies To Fight Anonymous DDoS Attacks
IMO most of this is fluff. If the bandwidth of a targetted DOS attack is larger than the pipe it is unstoppable. Really one of the things you mentioned, being friends with your upstream, and your upstreams pipe being bigger than the DOS attacks capacity is the only thing that will help you.
virtual
50%
50%
virtual,
User Rank: Apprentice
2/8/2012 | 5:55:13 PM
re: 10 Strategies To Fight Anonymous DDoS Attacks
There are other steps that companies and the government can take to stop hackers from breaking into networks, even the Chinese hackers.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report