When DDoS Happens to Good Networks
DDoS Defined
Distributed denial-of-service (DDoS) attacks first made the news in December of 1999 with the release of the botnet-based DDoS toolkit called trin00. Toolkits continue to evolve, but the core approach remains the same: muster dozens, hundreds or thousands of geographically dispersed hosts to bombard servers with bogus requests so they are so overwhelmed they cannot address the legitimate requests. Since the attack type was born, vendors have been trying to develop products that effectively thwart DDoS.
DDoS Defense Challenges
DDoS is difficult to defend against for at least three reasons.
Innate Vulnerability
First, there is no vulnerability to exploit. The attack is successful because it is the nature of all computing platforms to have some threshold of delivery. Computers, clusters and the cloud all have physical limitations as to how many requests they can respond to at a given time. A successful DDoS only needs to generate enough traffic to exceed that threshold. Many other attack vectors can be protected against through patching, security configuration or policy change. None of these approaches can be used for DDoS prevention. The service need only be made available for it to be vulnerable to attack.
Blocking the Mob
The second issue is that DDoS attacks are difficult to block. There are many different attack sources. This causes the initial problem of being able to effectively block a long list of attacker IP addresses. Potentially thousands of addresses would need to be temporarily added to a blacklist to stop the attack. If an attacker crafts requests to the server posing as a legitimate host (spoofing), the blacklisting may deny service to valid users.
Finding the Perpetrators
This brings us to the third challenge: it is difficult to sift through which users are making valid requests and which are participating in the DDoS. Since all computers accessing services are creating load on the server, they are all contributing to the denial of service. Careful inspection is necessary to determine whether client hosts are of the good or bad type. A lot of calculation needs to be done quickly before any decisions can be made.
When Mitigation Fails
The recent bout of DDoS attacks have left managers scratching their heads as to why DDoS prevention mechanisms failed to work. In my last blog entry, I discussed the importance of surveillance in conjunction with enforcement. DDoS is no different. No matter how sound a protection mechanism is, if attackers are given an indefinite amount of time to breach it, they will succeed.
Attackers are becoming better funded and more sophisticated than ever before. They are able to purchase the same enforcement/prevention mechanisms in place within enterprises and begin crafting circumvention techniques to thwart them. Distribution channels and botnets make it easy to deploy advanced DDoS toolkits quickly. The role of surveillance becomes critical in understanding how attackers were able to succeed.
Network-Based Anomaly Detection
Lancope’s StealthWatch System is an industry-leading, network-based anomaly detection system. StealthWatch builds baselines of normal traffic on every network host, grouping of hosts and relationships between hosts. This approach allows StealthWatch to provide alarms for the following DDoS related conditions:
- High Target Index – Every host is assigned a value denoting how much suspicious activity is being targeted toward it. This provides a prioritized list of which assets are in most danger of faulting.
- Server Response Time – Utilizing FlowSensor and FlowSensor VE technology, StealthWatch can alarm when web server front ends or database back ends are beginning to choke.
- Packets Per Second (pps) – StealthWatch can visualize excessive pps hitting network resources.
- Interface Congestion – Interface level performance metrics are constantly monitored, providing visibility into the physical layers of the attack.
- Max Flows Served – Each server builds a baseline of normal connection volumes. When that threshold is exceeded, StealthWatch operators are alerted.
- Max SYNS Received – When servers begin receiving an “unhealthy” proportion of TCP SYN packets, early notification can occur.
- Relationship High Total Traffic – When custom HTTP requests are crafted to overload data coming from the database backend, alarms on those relationships exceeding the baseline can provide visibility into backend problems that other DDoS solutions miss.
- New Host Active – Legitimate users to a web service tend to make regular visits. Attacking hosts don’t tend to linger or return to the crime scene. StealthWatch is able to differentiate between the two.
- High Concern Index™ – The proprietary Concern Index displays a prioritized value of suspicious or anomalous activity coming from a host. The outside attackers will receive a High Concern Index alarm while the valid computers trying to connect will have a low index.
- Max Flows Initiated – By understanding the flows per minute that a legitimate user creates in accessing services, StealthWatch can alarm against hosts that are exceeding those norms.
Wrap Up
DDoS is one of the few attack types that an organization without proper network surveillance will actually know about (as customers call to complain). However, without intelligent network monitoring, responding to the event becomes nearly impossible. DDoS is a concerning type of attack that continues to cripple organizations. The continued evolution of DDoS toolsets and their wide distribution through hacktivists and botnet-controlled machines requires not only mitigation solutions, but also network visibility that can make sense out of the fog that rises during a denial-of-service attack.