Denial of Service (DoS) attacks are among the most feared threats in
today's cybersecurity landscape. Difficult to defend against and
potentially costly, DoS attacks can cause outages of web sites and
network services for organizations large and small. DoS attacks can also
be lucrative for criminals, some of whom use these attacks to shake
down businesses for anywhere from thousands to millions of dollars.
Any deliberate effort to cut off your web site or network from its
intended users qualifies as a DoS attack. Such attacks have been
successfully deployed against major online businesses including
Visa and Mastercard,
Twitter, and
WordPress.
DoS attacks effectively knock the services offline, costing lost
business and negative publicity. They also force IT staff to expend
valuable resources defending against the attackers.
If there is a silver lining to DoS attacks, it's this: The objective
of the typical DoS attack is not to steal or expose confidential data.
Most DoS attacks do not actually breach a company's network, they simply
overwhelm it with traffic. In many recent cases, DoS attacks have been
used by Anonymous and other hacktivist groups as a form of online
protest against corporate and governmental targets whose policies or
actions are at odds with the demonstrators.
The exception to this is when a DoS attack is used as a distraction
to funnel attention and resources away while a targeted breach attack is
being launched.
Sony claims
that Anonymous used that technique against them in a major 2011 attack
that ultimately led to the theft of over 12 million customers' credit
card data.
DoS vs. DDoS
The most easily executed type of DoS attack is one that is launched
from a single origin. In this attack, a single machine somewhere on the
Internet issues a barrage of network requests against a targeted victim
machine. The requests themselves can take a variety of forms – for
example, an attack might use
ICMP flooding via ping requests, or HTTP requests against a web server.
Single-origin DoS attacks can be effective against undefended victims, but they have a few key limitations:
- Victims can block the originating IP address, either at the firewall
level (to kill HTTP requests) or further upstream at the ISP level (to
kill network-level floods).
- Security tools now exist to detect and prevent ICMP flood attacks.
Web servers can be configured to detect and block HTTP request attacks.
- Enterprise products can identify and block single origin attacks as soon as they begin.
These days, the more nefarious type of DoS is called the DDoS, or Distributed Denial of Service attack.
In a DDoS attack, the incoming traffic flooding the victim originates
from many different sources – potentially hundreds of thousands or
more. This effectively makes it impossible to stop the attack simply by
blocking a single IP address; plus, it is very difficult to distinguish
legitimate user traffic from attack traffic when spread across so many
points of origin.
DDoS: The Rise of the Botnets
Where does an attacker even get thousands of machines to launch a
DDoS? Distributed Denial of Service attacks are executed by a so-called
botnet – a collection of computers around the world infected with an
attacker's malware.
Malware infections can install silent software on a victim machine
which places it under the control of a remote attacker. Successful
botnets can be comprised of hundreds of thousands of infected machines,
typically without the owners' knowledge. There big money in creating
botnets – among other things, botnet creators rent out their creations
to criminal enterprises who can use them to launch a DDoS.
Large-scale DDoS attacks are not random. The perpetrators choose
their victim deliberately, either due to a grudge, revenge, or an
attempt to bully them into meeting some demands – possibly including
paying extortion. Renting a botnot to launch a DDoS can cost about
$100 per day, so the duration of an attack is partially dependent on how well-funded the attacker.
Inside a DDoS
The specific mechanisms used by a DDoS to "drop" a web site or
network can vary depending on the attacker's preferred strategy. One
major difference between DDoS implementations is whether they target the
computing resources of the victim's machine or the network resources.
An attack against a web server based on HTTP flooding – as many as
10,000 requests per second – can overwhelm the server software,
eventually consuming the machine's memory, CPU time, and possibly even
disk space (if the log files grow out of control).
An attack such as a
SYN flood
instead focuses on the TCP network, overloading it with unacknowledged
packets. Depending on how an organization's network is managed, this
kind of DDoS can not only overwhelm a server, it also can overload
switches or other network resources, potentially impacing a victim's
entire network, including casualties unrelated to the victim if they
share network space with the same ISP.
HTTP and SYN floods are not the only weapons in a DDoS attacker's
arsenal but they are among the most common. Other attack mechanisms may
include UDP, ICMP and DNS floods, as well as mailbombs. A so-called
"mixed DDoS" can incorporate several of these weapons into one attack.
Can a DDoS be stopped?
Let's start with the bad news: It is very difficult to defend against
a sophisticated DDoS attack launched by a determined adversary.
Many organizations struck by a DDoS are left to scramble in an effort
to stop the attack once it has already begun. Sometimes this requires
coordination with the ISP that provides network access. This is
especially true when an ISP is forced to "null route" a victim – meaning
that to protect other customers, the ISP routes traffic intended for
the victim into the trash. This of course effectively prevents all
access, including from legitimate users.
One of the more well-known countermeasures against a SYN flood is the use of "
SYN cookies" either in the server OS or, better yet for network efficiency, in a network security device at the network edge such as the
Cisco Guard.
SYN cookies provide a more efficient method for tracking incoming TCP
connections lessening the chance for a typical SYN flood to overwhelm
the stack.
An effective defense against an HTTP flood can be the deployment of a reverse proxy – in particular a collection of reverse proxies
spread across multiple hosting locations. A reverse proxy is somewhat
akin to a bouncer at a nightclub, deciding which guests are allowed into
the party, where the real web server is. By deploying many bouncers in
different locations, the crush of incoming traffic is split into
fractions, lessening the possibility of the network becoming
overwhelmed. Deploying this type of architecture can be done in the
scramble after an attack has begun, or baked into the network
architecture of a web site as a preventative defense.
The limitation with these DDoS defenses is that if the attacker can
generate network traffic at a higher rate than your network's Internet
connection can handle, it will be hard to avoid a meltdown. But what
these defense strategies do accomplish is at least force the attacker to
get a bigger gun.
10:45 PM
Posted in: 
.
if you made any changes.
.
