The common view of a denial of service (DoS) attack is that of a flood of requests to a given web server that overwhelms it and render it useless, at least temporarily. Such attacks have most commonly been perpetrated via botnets, a network of hijacked computers compromised by malware coordinated by a command and control server (specifically, such attacks are referred to as DDoS – distributed DoS). Once a server is hit by such an attack it is too late to do much about it, the network is now flooded; traditional firewalls and intrusion prevention systems can be overwhelmed (or even be the primary target) and the intended damage has been done.
In December 2010 successful DDoS attacks were launched against a number of organisations including PayPal, MasterCard and Visa as part of an operation dubbed “Avenge Assange”. Julian Assange, being the front man for WikiLeaks, which relied on donations for funding often made via the targeted financial institutions that were now blocking such payments under pressure from the US government. The incidents are good examples of the effective use of DDoS by political pressure groups. PayPal released outstanding funds as a result, but more importantly WikiLeaks received widespread press coverage and was able to present itself as a victim.
Of course, if the attacks had failed, then they would have gone unnoticed. The best measure is to ensure such attacks never get off the ground. One way is to stop the PCs that form botnets from getting infected in the first place, but ensuring effective anti-malware measures are in place on all PCs everywhere is like trying to eradicate the common cold in humans, near impossible and not cost effective. And anyway, some attacks are not launched via botnets, but rely on “hacktivists” to band together, download software and willingly participate in a co-ordinated effort.
Another way is to target command and control servers. These servers do not link with their botnet clients using fixed IP addresses as this would make them easy to identify and shut down. New Scientist reported in February 2011 on a service called Exposure that monitors activity on DNS servers (these map logical URLs to physical IP addresses, for example so that www.quocirca.com can be found at the physical address 77.68.37.161). Exposure is looking for meaningless URLs that are being constantly moved from one physical address to another to avoid detection. The increasing ability to easily create virtual servers on platforms like Amazon Web Services (AWS) makes the need to identify such activity even more important.
A third way is to spot when a DDoS attack has started through analysing web traffic and looking for tell-tale signs. Ideally this is done by internet and network service providers, in whose interests it is to stop such attacks, both for themselves and their customers. Many use products such as Arbor Network’s Peakflow that can analyse the huge volumes of internet traffic handled by such providers and identify tell-tale signs of a DDoS attack and take actions to block traffic at source, whoever the target might be.
However, a new sort of application level DoS attack has emerged that is less easy for service providers to spot. Rather than flooding the network with huge volumes of traffic, such attacks target a particular application that forms part of a web service, either slowing or crashing the application. For example, it takes far less effort to flood an application memory buffer than it does a high bandwidth network. Preventing such attacks requires protection closer to the web server because service providers may not notice what looks like a legitimate application request in amongst huge volumes of other traffic, whilst at the server end the illegitimate request may be more obvious in the traffic aimed specifically at that server.
Spotting such attacks is the aim of a new product from Arbor. Its Pravail Availability Protection System (APS) is targeted to be installed on the user side of the network rather than the service provider end, helping Arbor to grow its enterprise revenues. To some extent traditional intrusion prevention systems (IPS) from the likes of Cisco, HP, McAfee, IBM and Corero (formerly Top Layer) can be used to spot application DoS attacks, but they are not specifically designed to do so. Some are adapting to the task, for example Corero’s DDS (DDoS Defence System) aimed mainly at the end user end of things. However, some attacks are mixed mode, switching from one attack vector to another when an initial attempt is thwarted, so a coordinated effort covering both the service provider and end user infrastructure is needed.
What of smaller businesses; those with political or commercial reasons to launch DoS attacks do not care about the size of their target if it helps achieve their objective. In fact, because smaller organisations are unlikely to invest in enterprise level protection, they may come to be seen a soft targets. Help is at hand from a UK based company, Adversor. Its DDoS Protection service uses Arbor’s technology and is aimed at providing smaller businesses and service providers with enterprise level DoS protection. Once a problem is identified all network traffic is diverted via the service an scanned and cleaned.
As ever with internet security it is an arms race. As the “bad guys” move from the brute force of network based DDoS to application focussed DoS attacks the vendors have responded. Traditional intrusion prevention systems provide some protection but as the nature of DoS attacks continue to change there will remain a place for specialists that exist to help identify and mitigate them.