Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/14/2009
05:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DIY: Defending Against A DDoS Attack

Proactive self-defense can make DDoS attacks less painful and damaging

There's no way to prevent a distributed denial-of-service (DDoS) attack, but there are some do-it-yourself techniques and strategies for fighting back and minimizing its impact.

DDoS victims can "tarpit," or force the attacking bot to drastically scale back its payload, enlist the help of the botnet hunter community, or even get help to wrest control of the botnet. Joe Stewart, a researcher with SecureWorks' Counter Threat Unit, says these self-defense techniques are little known or used today by victims of DDoS attacks, but they offer an alternative to purchasing a commercial DDoS product or service and working with ISPs to try to stop an attack.

"You can't prevent someone from launching the attack, but you can do a better job at mitigating it through technical measures," Stewart says. Tarpitting doesn't work in every case, he says, but it's easy to deploy and doesn't cost anything.

"Just being able to respond better to these attacks is something that requires relationship-building with people who have pieces of the puzzle," such as the research community, he says.

Tarpitting works against HTTP-based attacks, which researchers say make up the majority of DDoS attacks today. HTTP-based DDoS attacks are often more effective than SYN flood DDoS attacks, and it's easier to max out the Web server's connections or CPU/memory than to overload the pipe with a SYN flood, experts say.

The tarpit method works with TCP/IP features embedded in Linux, namely the NetFilter feature, according to Stewart, and can be used with a Windows server with the help of a tarpit toolkit, such as LaBrea. Tarpitting basically forces the bot to send the victim's server less traffic. "You use it to say to the attacker, 'I'm so congested that you can't send me any more than 1 byte before I respond to you,' for instance," Stewart says. "The attacker gets in a loop trying to send 1 byte and waiting for a response [he] never gets."

And unless the botnet operator is closely monitoring his bots, he won't notice the slowdown. The only clue that the DDoS attack was foiled? Its target didn't go down as the attacker had expected, Stewart says.

Stewart says when he tested tarpitting against an attack bot, he found another interesting side effect of the defense method: One bot's CPU hit 100 percent, rendering the system unusable. "It almost reflected the DDoS attack back onto them. In their attempt to maintain all these connections and retries, it started using up all the CPU time on the system," Stewart says.

Jose Nazario, manager of security research for Arbor, says he sees few DDoS victims using these techniques today. "Unfortunately, it's pretty rare. It's valuable," he says. "The [tradeoff] is that it can have a negative impact on legitimate PC users [who are bot-infected]. After a while, they can't make any requests at all."

The safest defense against DDoS attacks is to recruit the help of researchers with expertise in botnets. Stewart recommends IT security teams get out and meet their peers and researchers and attend ISSA and InfraGuard meetings, for instance. They key is getting help in tracking down the offending botnet's command and control (C&C) servers, he says. "It could be something as simple as getting a hosting provider to take down a C&C by providing them proof that a host [using their service] was attacking you," he says.

And there are some researchers willing to venture into a grey legal area and actually go in and take over a botnet, he says. "Gaining unauthorized access to an infected computer is not something [SecureWorks] would do here," he says. "But there are some other researchers who've shown they are willing to take over botnets and issue them commands. If you're under attack, it's a kind of self-preservation."

Stewart says C&C servers are often vulnerable themselves to common Web attacks, like cross-site scripting and SQL injection. "They are usually sloppily programmed," he says. "And you can get a lot of knowledge from a SQL injection [vulnerability] in their script. But legally, this is probably not a good idea."

Meanwhile, some security experts like HD Moore have used more aggressive methods to fight a DDoS attack. Moore, creator of Metasploit, had a little fun at his DDOS attackers' expense earlier this year, turning the tables on the botnet that hammered away at Metasploit's servers. Moore changed DNSes in an attempt to evade the attackers, and also tried using Google Sites' Web hosting to mitigate the DDoS, but once Google Sites hit its page limits, he had to abort that tack.

He was able to eventually narrow down the C&C domains after enlisting the help of botnet researchers. The researchers black-holed one of the domains, and Moore then executed a "reverse" on the other two C&C domains, pointing the traffic that was flooding his Metasploit site back onto the attackers' domains so they were DDoS'ing themselves.

But these techniques are bit too technical and risky for most enterprises. SecureWorks' Stewart, who was one of the researchers who helped Moore find the culprit C&C domains, says it would be possible for an enterprise hit by a DDoS to follow Moore's lead by changing its IP address to that of the C&C's IP. "If the bots are attacking you by looking up your host name, you can change your IP address to the C&C IP once you learn where it is. This is easy, but causes [your site] to be down still, and causes your legit traffic to visit a botmaster-owned site -- a little scary if it comes back up before you change the DNS back," he says.

He says it's best to use legitimate abuse-reporting channels in the security community to help take down a botnet.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.