Although relatively unsophisticated, distributed denial of service attacks (DDoS) are fairly difficult to defend against. The basic concept behind a DDoS attack is simply to flood a victim’s Internet service with enough inbound traffic that legitimate traffic cannot get through or the service cannot respond.
Unlike a DoS attack where there is only one computer used to flood the victim’s server, a DDoS uses large numbers of computers on a large number of different Internet connections, often distributed globally via a botnet. This distribution of attack is what makes a DDoS so challenging to defend against, made particularly more difficult when the DDoS attack is made up of legitimate looking traffic – just an overwhelming amount of it.
There are essentially three areas that a DDoS can attack and each one requires a different method of protection.
1 Protocol Attacks – These attacks focus on a part of the IP protocol that is the core of Internet connectivity. They consume server resources in an attempt to tie them all up in communicating with the attack sources and not with legitimate sources. They include attacks known as SYN floods, Ping of Death and fragmented packet attacks. These attacks can be measured in the number of packets per second. Defending against protocol-based attacks is typically accomplished using network behavioral analysis tools that determine legitimate traffic from illegitimate traffic. Also, given that these attacks are typically stateful in nature, meaning a full TCP handshake is necessary and therefore ensuring the source IP addresses are not spoofed, then the illegitimate traffic can be filtered out by source IP address either manually or via some automated intelligence.
2 Application Attacks – These types of attacks attempt to exploit vulnerabilities in the application layer to crash or hang the Internet service, like Apache or IIS for web services. Slowloris and other request floods are types of application attacks. These attacks can be measured in the number of requests per second. The first level of defending against these attacks is simply to keep the applications up to date and patched to mitigate against known vulnerabilities. In addition things that challenge access, such as cookies or CAPTCHAs, can help distinguish between automated attacks and humans.
3 Bandwidth Attacks – This classic attack method is simply to saturate the entire Internet bandwidth of a victim’s service. By sending spoofed packets that don’t require a TCP handshake, such as UDP or ICMP floods, it’s possible to simply send enough data down a victim’s Internet pipe to utilize the entire bandwidth, thereby denying connectivity to any legitimate traffic. These attacks are measured in bandwidth speeds of bits per second. Defenses start at simply having enough bandwidth available to absorb these attacks, potentially through a scaling up of bandwidth when under attack, up to intelligently determining the packet floods and filtering them out upstream, typically at the ISP or through some 3rd party anti-DDoS provider.
In our recent partnership with CBTS (a Cincinnati-based IT solutions specialist) Corporate One has been able to enhance our existing DDoS defenses by leveraging their infrastructure. This includes much larger upstream bandwidth connectivity that can absorb many bandwidth attacks. In addition we are able to take advantage of pre-established relationships through CBTS with two large anti-DDoS providers to seamlessly protect against both protocol attacks and application attacks. Together these provide a layered approach to protection from DDoS attacks.