Distributed denial of service (DDoS) attacks are getting bigger. According to research conducted by vendors Arbor Networks and Akamai Technologies, the size of the average DDoS attack in 2012 was approximately 1.77 Gbps. DDoS attack data from Prolexic indicated that the bandwidth for the average attack topped 48 Gbps, an increase of more than 700% from the previous quarter.
Not only was this amount of throughput in a single attack historic in its sheer size, but it also serves as a warning: Organizations must reconsider their overall approach toward DDoS attack prevention.
Most organizations have somewhere in the neighborhood of a 10 Gbps connection to the Internet. A 1.77 Gbps DDoS attack is no small inconvenience, but still manageable. Now the scope of the average DDoS attack has grown so large that no amount of emergency triage can maintain even minimal Internet connectivity if an organization isn't prepared.
This is what happened on March 18, 2013, when the spam-filtering company Spamhaus became the target of what has been referred to as a mega-DDoS attack. Internet service providers reported that throughput associated with the attack achieved peaks of 300 Gbps. Not only was this amount of throughput in a single attack historic in its sheer size, but it also serves as a warning: Organizations must reconsider their overall approach toward DDoS attack prevention.
In this tip, we'll revisit the basics of DDoS functionality and provide advice on how enterprises can prevent today's new breed of mega-DDoS attacks.
The mechanics of a DDoS attack
A traditional denial of service attack is usually thought of as any means with which an information system is rendered incapable of providing the services for which it was built. This could mean anything from a power outage to a packet flood. What makes DDoS so much more difficult to defend against is inherent in its name: distribution. A DDoS attack aims the resources of many compromised systems in many locations at a single target, resulting in the victim's systems becoming overwhelmed.
Many flavors of DDoS exist, but in the basic variety (which was the type executed against Spamhaus), an attacker spoofs an IP address to match that of the intended victim. The attacker then sends a bogus DNS request to pre-selected DNS servers. When the DNS server receives the DNS request, the server checks its database and responds to the spoofed IP address that the DNS entry does not exist. Because the DNS response is sent to the spoofed IP address, the attacker's intended target receives the DNS response instead, with attacker attribution being virtually impossible. Carried out in conjunction with many different DNS servers in many different geographic locations, a professional-level DDoS attack can have a crippling effect on victim networks -- most networks have finite capacity to process incoming traffic.
Mega-DDoS attack prevention
Once enterprises understand how DDoS attacks function, they must determine how they will respond to an attack, which nowadays seems to be an almost inevitable situation. The first option is to team with DDoS mitigation vendors such as Arbor, CloudFlare, Akamai, Prolexic and others -- a valid decision in terms of preparing for the worst. These companies specialize in the prevention and mitigation of trending malicious traffic. However, if an organization does not have the resources to devote to third-party products and services, the wise security administrator will instead take steps toward minimizing the damage in the event of a DDoS attack.
First, security administrators should know the size of their organizations' Internet connections. As mentioned above, the average organization has a 10 Gbps connection, so prudence dictates that administrators ensure that they have at least that much of throughput available. Also, security professionals should always advocate the need for a bigger pipe to management. Even if resources are tight, it doesn't hurt to ask on a somewhat regular basis and use statistics such as those mentioned above to show both the pervasiveness and potential harm of DDoS attacks.
From the editor:
More on DDoS
Learn how to build a comprehensive DoS attack prevention plan, including technical and business strategies
Discover defense strategies for Project Blitzkrieg-style DDoS attacks
Furthermore, network administrators, regardless of whether they have been victimized, should ensure that mechanisms are in place to examine each incoming DNS response. If local servers have no record of ever having made a correlating request, the packet should be dropped rather than adding to the problem by sending unnecessary responses to the external DNS server.
Lastly -- and this point sometimes runs in direct contradiction to the lack of resources problem stated above -- administrators should consider placing more of their infrastructure in the cloud. Initially thought of as a space-saving measure for organizations that don't want to run their own data centers, cloud-based options have increasingly gained traction in the realm of security.
In the case of the Spamhaus attack, Spamhaus used cloud services from CloudFlare to dilute the effects of the DDoS attack. Cloud service providers such as CloudFlare, Neustar and others have data centers all over the world that announce a given customer's IP address. This dispersed announcement causes the DDoS traffic to also disperse its traffic across the different geographic locations, thereby diluting the attack. In the case of mega-DDoS attacks such as the one Spamhaus faced, organizations may have no other option to deal with such overwhelming amounts of traffic than looking to a cloud-based mitigation provider.
Vigilance is key when preparing for and mitigating a DDoS attack. Security administrators must stay informed with regard to the latest trends, tactics and procedures exercised by those who wish to do harm against Internet-connected organizations. In the case of mega-DDoS attacks, every statistic available seems to indicate that DDoS sizes will continue to grow in size and frequency, so preparations should be made for worst-case scenarios like the Spamhaus attack. Preparing in advance is a major step toward narrowing attack vectors and hardening potential targets when a DDoS attack occurs.
About the author
Brad Casey holds a Master of Science in information assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distributions in virtual machines.
This was first published in July 2013