DDoS Attack and Its Defense

DDoS Attack and Its Defense

1、 DDoS attacks are weapons of mass disruption.

The DDoS attack has long been a big main threat to security of the Internet. It is not expensive and easy to be used for achieving goals; thus it is very popular in attackers. So either an Internet corporation or traditional corporation, they are facing the threat of DDoS attacks once they are doing business on the Internet.

The report of survey for Q1 of 2012 from Neustar, a world-famous analysis agency, stated that almost one third of corporations have suffered DDoS attacks and almost half of corporations lost over 10 thousand Dollars per hour when their businesses were interrupted. The retail industry suffered the most, with 67 percent of corporations lost over 100 thousand Dollars per hour.

Figure-1 Ratio of industry victims under DDoS attacks

2、 The motives of launching DDoS attacks are “publicity” and “Profit”.

DDoS attacks are driven by the motives of “publicity” and “Profit”. “Publicity” means the black hats (indicating attackers who intend to launch destructive activities) create incidents to socially-influenced corporations and organizations through DDoS attacks for declaring where they stand on a point or showing off their abilities.

These incidents with this kind of motive always attract the public’s attentions and are reported by major news

NSFOCUS

TEL: +86 10 68438880 EMAIL: [email protected]

NSFOCUS US

TEL: +1 408 907 6638 EMAIL: [email protected]

NSFOCUS Japan

TEL: +81 3 6206 8156 EMAIL: [email protected]

MasterCard, Visa, and several e-banking websites that have cut off services to WikiLeaks by overloading them with DDoS attacks to express their sympathy to the WikiLeaks.

“Profit” indicates profit-driven attacks like racketeering. Most DDoS attacks launched for racketeering are unknown to the public, unless they bring very severe results. The criminal syndicate uses DDoS attacks to obtain commissions (by attacking websites of the hire’s competitors), extort money from victims, or blackmail the victims into giving up advertising proxy.

Figure-2 Attack motives

3、 It’s a long battle between DDoS attacks and DDoS defense.

The source of DDoS attacks is hard to be eradicated. Because DDoS attacks technically exploit the inherent and extremely concealed bugs of the Internet, most of attacks’ sources are hard to be traced relying on techniques.

Even the attacker exposed his identity in racketeering, for example, it is also very hard to locate the real attack sources and stop the DDoS attack.

From the view of deployment, DDoS attacks are also not easy to trace. Generally, the deployment of DDoS attacks is divided into three layers: attacker’s host, controllers (the hosts controlled by the attacker), and the attack zombies. The attacker sends attack directives to the controllers and the controllers forward the

directives to the attack zombies. As shown in the figure below we can see that to find the attacker’s IP address

and geo-location needs to trace three levels. But in the real environments, the controllers and the attack

zombies are located in different places, even in different countries. That is nearly impossible to find out the

DDoS sources.

Figuer-3 DDoS attack process

The anti-tracing function in DoS tools makes attack sources more difficult to be traced.

First of all, 70 percent of DDoS attacks exploit fake source IP addresses, with which it is impossible to find the attack zombies. Then, Fast-Flux Service Networks (FFSN) is widely used in DDoS tools, making the controllers and the attack zombies connected very shortly. The attack zombies replace the controllers in every several milliseconds; thus it is hard to trace the controllers. Finally, because the attacker uses anonymous proxy to connect the controllers, it is also very hard to locate the attacker’s host.

Anyway, the concealing characteristic in DDoS attack tools greatly increases the difficulty in finding hackers.

The DDoS attacks cannot be eradicated in a short time and there must be a long battle between DDoS attacks and DDoS defense.

4、 The key factor to win the battle between DDoS attacks and defense is the operators.

In the battle between DDoS attacks and DDoS defense, what the corporation is facing is not a pile of DDoS attack packets, neither DDoS attack tools, but the operators controlling the DDoS attacks. That is to say, it’s the people who are the main part in the battle. The prevention capability on the target-side of a DDoS attack determines who will be the winner in the battle. That’s why we say the “operator” is the most important factor.

In a DDoS attack, the first thing we should do is to know the attack method, namely, which its target is and what

type the attack is. Different attack methods determine different signatures in attack traffic; thus we can find

proper prevention solutions. For example, the common Syn Flood is the attack targeting servers. It is always

NSFOCUS

TEL: +86 10 68438880 EMAIL: [email protected]

NSFOCUS US

TEL: +1 408 907 6638 EMAIL: [email protected]

NSFOCUS Japan

TEL: +81 3 6206 8156 EMAIL: [email protected]

 Closely following up types, characteristics and prevention methods of DDoS attacks;

 Good expertise in the use of traffic analysis tools and good knowledge on recognizing attack signatures (for example, signatures of captured packets );

 Good knowledge on the protected business structure and its network deployment;

 Good expertise in operating DDoS prevention devices.

5、 Stop DDoS attacks before they stop you.

If we want to reduce the losses brought by DDoS attacks to the minimal, it is not enough to prepare the countermeasures when they are coming, but we should get prepared to prevent them when they are still the potentials. The first thing we should do is to evaluate the probability of a DDoS attack and the potential losses might bring by it. Based on the assessment results we make a reasonable budget for the protection.

Here we adopt a model recommended by Yankee, an international authority:

Losses = turnover loss + brand loss + costs for wasted resources

Take the e-business as an example. If the turnover of an e-business corporation is USD 365 million in a year, averagely USD 1 million each day, the loss in business interruption caused by the DDoS attacks will be USD 1 million. If the average total gross is 30 percent and the operation cost for one day is USD 700 thousand, the costs for wasted resources will be USD 700 thousand. If the business interruption affects the brand and lead to 2‰ orders lost, the brand loss will be USD 730 thousand. That is to say, the DDoS attack may cause about UDS 2.43 million lost.

After the risk assessment and budget plan, the next thing we should do is to identify the critical targets we need to protect. This is very important in DDoS attacks prevention. We should clear the core assets related to the business, such as the billing server, login server, DNS server, and bandwidth. Prepare corresponding

prevention solutions according to attack types these targets might face in advance. Based on the feedback from NSFOCUS technical support department in responding DDoS attacks in the past two years, we found that the following types of DDoS attacks can be the reference in prevention:

Attacks targeting servers: HTTP Get attacks, SYN Flood attacks, and Connection Flood attacks;

Attacks targeting DNS: DNS Query Flood;

Attacks targeting bandwidth: UDP Flood and ICMP Flood.

6、 Security prevention services will be a popular option.

As the cloud computing is widely used in many applications, more and more security corporations will launch

their SaaS-based security services. Some security vendors and telecom carriers have begun to provide

managed DDoS protection services and solutions for corporations. Different from the traditional DDoS

protection products, the managed DDoS protection service or solution delivers not only a DDoS protection tool,

but also the capability of preventing DDoS attacks. This kind of service or solution will help corporations

prevent DDoS attacks faster and more efficiently. We believe that more corporations will choose the managed

DDoS protection service in future.

For more information

For more information about NSFOCUS products and services, please contact the NSFOCUS sales

NSFOCUS

TEL: +86 10 68438880 EMAIL: [email protected]

NSFOCUS US

TEL: +1 408 907 6638

EMAIL: [email protected]

NSFOCUS Japan TEL: +81 3 6206 8156

EMAIL: [email protected]

For more information visit NSFOCUS Website: www.nsfocus.com

“NSFOCUS” is the trademark of NSFOCUS Information Technology Co., Ltd.

NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way.