Although relatively unsophisticated, distributed denial ofservice attacks (DDoS) are fairly difficult to defendagainst. The basic concept behind a DDoS attack is simply toflood a victim's Internet service with enough inbound traffic thatlegitimate traffic cannot get through or the service cannotrespond.

Unlike a DoS attack where there is only one computer used toflood the victim's server, a DDoS uses large numbers of computerson a large number of different Internet connections, oftendistributed globally via a botnet. This distribution ofattack is what makes a DDoS so challenging to defend against, madeparticularly more difficult when the DDoS attack is made up oflegitimate looking traffic – just an overwhelming amount of it.

There are essentially three areas that a DDoS can attack andeach one requires a different method of protection.

1 ProtocolAttacks – These attacks focus on a part of the IP protocolthat is the core of Internet connectivity. They consumeserver resources in an attempt to tie them all up in communicatingwith the attack sources and not with legitimate sources. Theyinclude attacks known as SYN floods, Ping of Death and fragmentedpacket attacks. These attacks can be measured in the numberof packets per second. Defending against protocol-basedattacks is typically accomplished using network behavioral analysistools that determine legitimate traffic from illegitimatetraffic. Also, given that these attacks are typicallystateful in nature, meaning a full TCP handshake is necessary andtherefore ensuring the source IP addresses are not spoofed, thenthe illegitimate traffic can be filtered out by source IP addresseither manually or via some automated intelligence.

2 ApplicationAttacks – These types of attacks attempt to exploitvulnerabilities in the application layer to crash or hang theInternet service, like Apache or IIS for web services. Slowloris and other request floods are types of applicationattacks. These attacks can be measured in the number ofrequests per second. The first level of defending againstthese attacks is simply to keep the applications up to date andpatched to mitigate against known vulnerabilities. Inaddition things that challenge access, such as cookies or CAPTCHAs,can help distinguish between automated attacks and humans.

3 BandwidthAttacks – This classic attack method is simply to saturatethe entire Internet bandwidth of a victim's service. Bysending spoofed packets that don't require a TCP handshake, such asUDP or ICMP floods, it's possible to simply send enough data down avictim's Internet pipe to utilize the entire bandwidth, therebydenying connectivity to any legitimate traffic. These attacksare measured in bandwidth speeds of bits per second. Defensesstart at simply having enough bandwidth available to absorb theseattacks, potentially through a scaling up of bandwidth when underattack, up to intelligently determining the packet floods andfiltering them out upstream, typically at the ISP or through some3^rd party anti-DDoS provider.

In our recent partnership with CBTS (a Cincinnati-based ITsolutions specialist) Corporate One has been able to enhance ourexisting DDoS defenses by leveraging their infrastructure. This includes much larger upstream bandwidth connectivity that canabsorb many bandwidth attacks. In addition we are able totake advantage of pre-established relationships through CBTS withtwo large anti-DDoS providers to seamlessly protect against bothprotocol attacks and application attacks. Together theseprovide a layered approach to protection from DDoS attacks.

BruceWestbrook is assistant vice president, IT Systems Security, atCorporate One FederalCredit Union in Columbus, Ohio.