Denial of service attacks

A DDoS (distributed denial of service) attack quickly overwhelms a company's server, router, firewall or network link with traffic. If successful, the attack floods the network with effectively 'network spam' and it attacks so completely that legitimate traffic cannot be processed, and the server and therefore the company cannot function. The results can be disastrous; customers go elsewhere, and possibly stay away permanently, and reputations are damaged. In many instances your service provider will cut off your server - known as black hole filtering or null0 - and may also charge you for the bandwidth. So not only will you lose revenue you'll also being charged for the privilege of it.

According to a CSI/FBI Computer Crime and Security Survey, in 2004 DDoS attacks were the second-most costly security incident overall for organizations. And Yankee Group, Small and Medium Business Infrastructure Survey, from December 2004 found that 12 per cent of smaller companies had also reported a DDoS attack in the previous 12 months. At the end of 2004 Gartner predicted that half of all Internet-connected businesses would experience some sort of DDoS attack in the next two years. Yet it's still relatively hard to find too many IT personnel who are losing sleep over it.

Mitigate not eradicate

There is nothing you can do to stop an attack, as Mike Prettejohn Director of web traffic analyst firm Netcraft points out: 'The first thing to get straight is this: you cannot stop a well constructed DDoS attack, if it uses spoofed - but legitimate IP addresses - uses HTTP requests and is requesting legitimate pages such as an SCO-type attack then all you can do is reduce the effects of the attack.' The SCO attack was orchestrated at IT firm SCO and utilised a MyDoom virus/worm outbreak that at one point utilised between 25,000 and 50,000 machines in the attack.

Most of the DDoS attacks are criminal in nature. They're there to extort money from your company by bringing down your site. If you're a transactional web site in the gambling arena then you're a prime target. Next up come ecommerce sites. The more you stand to lose by your site being down, then the more you're likely to be a target. You're also a target if your site is in an area where there's some controversy: anything to do with the UK military became a target for DDoS after the invasion of Iraq and any site that has dealings with hunting, animal testing and so on is also a target.

Responding effectively to DDoS attacks is becoming increasingly challenging. In the past, filtering specific source addresses was enough to stop basic DoS attacks. Today's DDoS attacks - distributed by definition - often use tens to hundreds of thousands of sources, courtesy of broadband-connected computers that have been infiltrated by hackers and turned into 'zombies'. Zombie traffic resembles legitimate user traffic; separating them can be extremely difficult, and often requires large computing resources.

As Prettejohn points out, one of the easiest ways of mitigating DDoS attacks 'is to throw money at the problem. More bandwidth and more servers will solve the problem'. Dominic Monkhouse is MD of hosting company RackSpace, the only company to offer a guarantee on traffic. 'One of the ways to reduce the effect of a DDoS is to "out bandwidth" the attackers. Some of the attacks we have seen have peaked at over 1.5Gbs - a typical attack will be 10-100Mbs - so we have a capacity of 8Gb although an orchestrated attack could still bring even the biggest network down,' he says.

Email to a friend

Print this page