Can the Government Prevent a DDoS Attack? By Will Hogan Will Hogan is Vice President of Marketing and Sales at Idappcom, a British firm which specializes in the provision of tools to test the efficacy of IP filtering appliances. He has contributed an interesting proposal for fighting distributed denial-of-service (DDoS) attacks. The remainder of today’s column is entirely Mr Hogan’s with minor edits. *** On the 8th December 2010 a group of hackers launched distributed denial-of-service (DDoS) attacks against the Visa < http://www.digitaltrends.com/computing/wikileaks-supporters-teardown-visa-in-ddos-attack/ > and Paypal < http://news.softpedia.com/news/FBI-InvestigatesAnonymous-DDoS-Against-PayPal-175442.shtml > Web servers and also on a Swedish Government Website.< http://www.dailymail.co.uk/news/article-1336806/WikiLeaks-hackersOperation-Payback-cyber-war-targets-Swedish-Government.html >. The attacks were successful and the services offered by all these sites were severely disrupted. If major corporations, which operate in a multi-national environment, couldn’t prevent these attacks, can the UK Government stop such an attack on one of their Web services? Probably not. One of the key limitations of today’s computers is the maximum number of simultaneous connections, 65,535, that can be made to a Windows based PC/server < http://support.microsoft.com/kb/196271 >. This limit provides a basis for resource exhaustion and therefore for denial-of-service (DoS) attacks. If a hacker, or group of hackers, can sustain 65,535 concurrent sessions to a server, they will deny that service to anyone else. There are two types of DoS attacks< http://www.mekabay.com/courses/academic/norwich/is340/is340_lectures/csh5_ch18_denial-ofservice_attacks.pdf >: those intended to crash the system (such as the ping of death and those that are intended to flood the system with requests for resources (bandwidth, processor time, disk space etc). You can configure your routers not to respond to ping requests or broadcasts or not to forward packets directed to broadcast addresses. Modern Internet Protocol (IP) filtering appliances are now smart enough to mitigate these threats by dropping any ping that is greater than a configured size (for example, 84 bytes) and by allowing only a limited number of simultaneous connections from any single IP address. This second approach is effective against DoS flood attacks if the limit is set low, say five or six. To generate sufficient resource requests would mean that there would need to be a very high number of hackers involved, more than could be organized in to one group. So DoS hackers found an alternative approach. Distributed Denial of Service (DDoS)< http://www.networkworld.com/news/2010/120910wikileaks-ddos-attacks.html > gets the hackers around this restriction. In a DDoS attack the hackers are not sending the DoS attack from their own PC. Instead they are using a network of PCs on which they have managed to place a zombie agent< http://www.networkworld.com/community/node/60101 > to allow them to control the compromised PCs to fire off the DDoS attack under the control of a master or controller progam. The collection of compromised systems is known as a botnet.<
http://www.networkworld.com/community/blog/researchers-unsheathe-new-tool-battlebotnets?source=nww_rss > One hacker can be in control of several thousand zombie agents, each getting five or six concurrent connections to a Web server without the PC owner’s being aware of the compromise. A small group of hackers, acting in concert, could easily deny access for any legitimate user or crash a system. Current IP filtering technology can’t prevent these types of attacks, so can we do anything to defend ourselves? Well, there are things we could do in theory:
Catch all the hackers and lock them up. o Just not going to happen (and what about those sponsored by nation states?). Legislate to ensure that all PC operating systems/applications are completely secure against all infiltration of malware. o A nice idea but really impracticable. Even if you could do this you can’t stop the fool who opens an unsolicited email and double clicks on the attachment with no idea of what it will do (it could install a Trojan). Install your Web service application on a large number of independent servers based in different parts of the world. o Each one could still be attacked but the chances of their all going down are slim. Use an independent DDoS proxy service provider. o This removes the onus from you to set up your own defenses and suffer the capital costs involved. It might introduce some latency to the service and other possible points of failure Use a specialized DDoS mitigation appliance from one of the major vendors. o This is an expensive solution and currently it seems that no single appliance can prevent all types of attacks. You will also need to have 10GB communications links and high-end routers to cope with the behavioral analysis and deep packet inspection that is required. Install your Web service application on a large number of independent servers in one location and then front-end this with an array of load balancing equipment. o This solution might be cost prohibitive for some organizations, but if the service that you provide is really important, say for instance the self-assessment tax system in the UK, then how much is it worth to the nation for this system not to be the target of a successful attack?
DDoS attacks happen and Governments are not immune. In the summer of 2010 the Irish Central Applications Office server was hit by a DoS attack.< http://colinemanning.blogspot.com/2010/08/cao-denial-of-service-attack-myarse.html?zx=64c009f665c7d360 > In 2009, during the Iranian elections, the official Website of the Iranian government was attacked < http://www.pcworld.com/article/166714/with_unrest_in_iran_cyberattacks_begin.html > and made inaccessible. There is no foolproof method to prevent a DDoS attack at present. However, for mission-critical Web services, it is vitally important to apply these recommendations: Protected systems with the best IP filtering appliances available Test these appliances for effectiveness weekly using a testing tool specifically designed for the task Update these appliances constantly updated using the vendors’ latest patches Stress test the whole system using industry-approved load generating solutions on a regular basis
Spread the service across multiple servers managed through an array of load-balancing appliances.
*** Will Hogan < mailto:
[email protected] > has been in the I.T. industry for over 28 years after initially training in Management Accountancy. He has held positions in general management, financial management, project management, sales management, channel management, marketing, systems analysis and application development. He worked in software sales with SSA (a major US vendor of ERP) for 12 years and sat on the EMEA regional management board after which he was the MD of IDvelocity, a US Data Collection and Mobile Computing Software company. After living in the US for two years he joined Idappcom. Idappcom< http://www.idappcom.com > specialize in the provision of tools to test the efficacy of IP filtering appliances. Their flagship product, Traffic IQ Professional, is used by many appliance vendors and their clients and contains a unique library of real world threats and attacks. Idappcom is exhibiting at Infosecurity Europe 2011< http://www.infosec.co.uk > – the No. 1 industry event in Europe – where information security professionals address the challenges of today while preparing for those of tomorrow. Held from 19th – 21st April at Earl’s Court, London, the event provides an unrivalled free education program, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. *** M. E. Kabay,< mailto:
[email protected] > PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc.< http://acsi-cybersa.com/ > and Associate Professor of Information Assurance< http://norwich.edu/academics/business/infoAssurance/index.html > in the School of Business and Management< http://norwich.edu/academics/business/faculty.html > at Norwich University.< http://www.norwich.edu > Visit his Website for white papers and course materials.< http://www.mekabay.com/ > Copyright 2011 Will Hogan & M. E. Kabay. All rights reserved. Permission is hereby granted to Network World to distribute this article at will, to post it without limit on any Web site, and to republish it in any way they see fit.
