DDoS : The menace
By Aravind Anbazhagan
Outline
What is DoS/DDoS ?
Why DDoS is a popular choice ?
What is the motive behind the attacks ?
Potential DDoS targets
Impact of DDoS attack
Myths in DDoS protection
DDoS mitigation techniques
Why DDoS is a popular choice ?
DDoS tools are readily available
(hping,juno,Trinoo,StachleDraht,LOIC)
DDOS is being offerd as a service at a low cost
Botnets are available for hire to launch a DDoS attack
Many organizations do not apply any form of DDOS protection
DDOS solutions are not able to detect all types of attacks
Difficult for Security professionals to traceback the source of
the attack due to spoofed IP address and covert channels
Organizations rely entirely on ISP for DDOS protection without
considering an on premise solution
What is the motive behind DDoS attack ?
Hacktivism (ideological and political differences) to gain media
attention
Ransom/Extortion
Take down a competitive player in an online game (host
booting)
Disgruntled customer or former employee
To divert attention from the real attack or keep the incidence
responce team busy
Cause loss in revenue
spoil brand reputation
Boredom
Annoyance
Revenge
Potential DDoS targets
Impact of DDoS attack
Loss of revenue
Organization reputation damage
E-commerce credibility
Lost Productivity
Contractual Violations
Incident handling and recovery costs
Disatisfied customers
Types Of DDoS attacks
Volumetric attack (magnitude are measured in bits per second
(Bps)) SYN flood UDP flood ICMP/Ping flood
Protocol Attacks (magnitude is measured in Packets per second
(PPS)) Ping of death Smurf attack Fragmented packet attack
Application attack (magnitude are measured in Requests per
second (Rps)) HTTP Get (Tools : LOIC (Low Orbit Ion Canon),HULK
(HTTP Unbearable Load King), Slowloris) HTTP POST (Tools : RUDY
(R-U-Dead-Yet), Tor's Hammer) DNS flood
Myths in DDoS protection
It only happens for others !
Firewalls and IDS will protect me from DDoS
Software fixes can solve DDoS attack issues
IPTables can stop DDoS attacks
ISP or Webhost will take care of DDoS attacks
ACLs on switches/routers can stop DDoS attacks
DDoS Mitigation techniques
Have a incidence response plan ready and know whom to
contact.
Monitor to understand normal network traffic and create a
baseline. Feed this info to coreleation engine. Ex: Cisco Anamony
Detector XT and Arbor Peakflow SP.
Over provisioning : Buying excess bandwidth or redundant network
devices to handle any spikes in demand.
IP reputation database based blocking : Database contains a list
of known or frequest genuine users by IP address
Geo IP location based blocking : Blocking IP's based on
geographical location
ACL on border routers
Implement Load balancers
Aggressive aging of idle connection from the connection
table
Install patches and harden your systems so that they will not be
compromised and added to a botnet
Change default settings and harden the device by disabling
unwanted services and ports.
DDoS Mitigation techniques Cont.
Implement unicast reverse path forwarding : Stops spoofed IP
address by blocking outbound traffic if the IP address does not
belong to the same subnet
Implement TCP Intercept: Protects against TCP SYN flood attack
by replying back on behalf of the intended destination.
Implement high capcity Web Application Firewall (WAF) and
IPS
Rate limiting: Control the rate of traffic sent or received by a
network interface controller
Black Holing/null routing with the aid from ISP: Sending all
requests to a non-existent server
Sink holing: Sends all requests to a logger that logs some
statistics and then drops the requests
Use Clean pipes from ISP or cloud based IP scrubbing to defend
against volumetric attacks
Use dedicated and always on DDoS mitigation appliance
Implement ingress and egress filtering
Split services on to different hosts.Dont use a single host as a
DNS server and also as a Web server
For home network, contact ISP and request for dynamic IP address
or use VPN
Thank you
Questions ?
