Psychz - Javier
Votes: 0Posted On: Apr 07, 2017 09:53:31
How to fight DDoS attacks?
Distributed Denial of Service attacks (DDoS) on the Internet is rapidly on the rise. Service providers are always under pressure to Monitor, prevent, and mitigate DDoS attacks directed toward their customers. Attacks that are seen every day on the Internet include direct attacks, remote-controlled attacks, reflective attacks, worms, and viruses. Specific attacks directed at a service provider’s infrastructure can be very damaging and cause widespread outages.
To mitigate DDOS attacks, first, you should have an in-depth knowledge of the various types of DDOS attacks that can be incident on your server. Some types of DDoS attacks are mentioned below.
SYN Flood
UDP Flood
HTTP Flood
Ping of Death
If you are a service provider Monitoring the network is highly important especially when there is an attack. Identifying the attack type and entry points are main objectives of a network admin during those critical hours. However, the most important question immediately follows after you notice an attack "How will you stop the attack?".
If you have a good service provider, they should have security architecture with good mitigation techniques. Some are discussed below.
Rate Limiting
Rate limiting is an important tool that can help you mitigate the attack especially when all the traffic to a site cannot be blocked. Remote triggered rate limiting is another possibility and available on a limited number of Cisco platforms.
Advanced BGP (Border Gateway Protocol) Filtering
Detailed packet information that can be fed into BGP that allows filtering of complex DDoS attacks. The attack ACLs could be defined in alignment with a traffic monitor, sinkhole or IDS that would be distributed to the enter the perimeter routers and the attack dropped at the provider’s edge. Making the legitimate traffic pass without interruption.
The ACLs can be centrally managed at the BGP injection router. Software and possibly hardware upgrades would be required to implement this feature from the router vendors.
Attack Distribution using Anycast
IPv4 Anycast implementations have been in use for a decade. Particularly suited for single response UDP queries, DNS Anycast architectures are in use in most tier 1 Internet providers’ backbones. Anycast implementations can be used for both DNS authoritative and recursive implementations. Several root name servers are implementing Anycast architectures to mitigate DDoS attacks. Sinkholes can use Anycast to distribute the load of an attack across many locations.
Anycast provides two distinct advantages in regards to DDoS attacks. When under DDoS attack, the traffic is distributed over a much larger number of servers which helps in distributing the overall load of the attack and allowing the service to withstand it. The main disadvantage of an Anycast is that the server may still be functioning but run at full capacity. This may lead to legitimate queries being unanswered since the resource is exhausted. This may be due to the size of DDoS attack or failure of a neighboring Anycast server without adequate reserve capacity. Eventually leading to crashing the entire service.
As an end user, you can also take some precautionary measures to identify and fight DDoS attacks. Some of these methods are described in detail.
Bandwidth Oversubscription
This is a precautionary method to deal with large DDoS attacks. Imagine a DDOS attack that consumes all the bandwidth allocated to a server. The server's resources would get depleted and eventually the server would be unreachable for legitimate users. To counter this, organizations subscribe for bandwidth much more than the actual requirement. This provides them with a cushion of extra bandwidth in case of a DDOS attack. The server can function normally while other countermeasures are employed to mitigate the attack. This is the most primitive method for organizations in case of a volumetric attack.
Another way of mitigating the attack is to subscribe to multiple ISP's. In case of an attack, you can switch the users to different providers and the attacked prefix can be announced on a separate ISP.
Tools that can save your day
You can make use of some useful tools and equipment available in the market for monitoring and restrict unwanted traffic.
Some of the tools are described in brief.
Nagios
It is an open source application that focuses on system monitoring, protocol monitoring, application monitoring, database monitoring, log monitoring and bandwidth monitoring among others.
There are various Nagios agents available in the market that performs multiple functions.
NRPE – A Nagios agent that provides system monitoring with the help of scripts that are hosted on remote systems.
NRDP - A Nagios agent used for data processing and transfer. It is highly flexible and easily customized.
NCPA – Highly flexible, it provides multiple checks such as CPU, memory or disk usage.
LogicMonitor
A network monitoring application that focuses on monitoring of applications, cloud services, databases among others. To provide efficient monitoring, LogicMonitor provides you with 1000 pre-built monitoring template. It also gives you the access to Netflow, J-Flow and S-Flow data so that you can assess infrastructure performance.
Reporting Tools
NFDUMP
It is a tool used to collect and interpret the flow of data. There are various NFDUMP tools all of which support netflow v5,v7 and v9. Some of the tools are nfcapd, nfdump, nfprofile, nfreplay among others. The primary function of NFDUMP tools is to analyze the data flow continuously as well as keep track of any variation in the traffic patterns.
Wireshark
Wireshark is perhaps one of the best open source packet analyzers available today. It captures the packets traveling over the network and tries to display that packet data as detailed as possible. In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed.
Service providers and vendors are quickly adapting to the new landscape. Defense in depth must be practiced by service providers as zero-day exploits are released. Prevention is always the best measure.Regular scanning and auditing will prevent configuration errors from exposing infrastructure to known attacks. Automated DDoS monitoring and reporting will become the standard for service providers as reaction times have gone from days to minutes. It is of utmost importance for the service providers to be prepared for the attacks and mitigate them as they happen.