For anybody employing a more Web-ready server OS than MPE, or any such server attached to a network, Distributed Denial of Service (DDoS) presents a hot security and service-level threat. Migrating sites will do well to study up on these hacks. In the second of two parts, our security writer Steve Hardwick shares preventative measures to reduce the impacts to commodity-caliber enterprise computing such as Linux, Unix or Windows.
By Steve Hardwick, CISSP
DDoS attacks can be very nasty and difficult to mitigate. However, with the correct understanding of both the source and impact of these attacks, precautions can be taken to reduce their impact. This includes preventing endpoints from being used as part of a botnet to attack other networks. For example, a DDoS virus may not affect the infected computer, but it could wreak havoc on the intended target.
One legitimate question is why a DDoS attack be would used. There are two main reasons:
1) As a primary attack model. For example, a group of hacktivists want to take down a specific website. A virus is constructed that specifically targets the site and then is remotely triggered. The target site is now under serious attack.
2) As part of a multi stage attack. A firewall is attacked by an amplified Ping Flood attack. The firewall can eventually give up and re-boot (sometimes referred to as “failing over”). The firewall may reboot in a “safe” mode, fail over, or back-up configuration. In many cases this back-up configuration contains minimal programming and is a lot easier to breach and launch the next phase of the attack. I've had experiences where the default fail-over configuration of a router was wide open -- allowing unfiltered in-bound traffic.
DDoS attacks are difficult to mitigate, as they attack several levels of the network. However, there are some best practices that can be employed to help lessen the threat of DDoS attacks.
2) Centralized Monitoring: By using a central monitoring system, a clear understanding of the network operation can be gained. Plus any variance in traffic patterns can be seen, this especially true of multistage attacks.
3) Apply filtering: Many firewalls contain specific sections for filtering out DDoS attacks. Plus disabling PING responses can also help reduce susceptibility. Additionally, firewall filtering policies must be continually reviewed. This includes audit of the policies themselves, or a simulated DDoS attack on networks at period of low activity. Don't forget to make sure that firewall backup configurations are reviewed and set correctly.
4) Threat intelligence: Constantly review the information regarding new threats. There are now many media services that will provide updates about newly detect threats.
5) Outsource: There are also several DDoS mitigation providers out there that assist in providing services that help corporations secure their networks against DDoS attacks. A quick web search will show many of the well-known companies in this space.
6) Incident Response plan: Have a good plan to respond to DDoS level threats. This must include an escalation path to a decision maker that can respond to a threat as this may include isolating critical systems from the network.