DDoS Defence and Dodging the Low-Orbit Ion Cannon

Distributed Denial of Service events, known as DDoS attacks, are now relatively commonplace in all parts of the internet. There’s almost always a DDoS attack taking place somewhere...

Hacking and Malware, DDoS

Distributed Denial of Service events, known as DDoS attacks, are now relatively commonplace in all parts of the internet. There’s almost always a DDoS attack taking place somewhere in the world, and a high-profile one reaches the news every couple of days. These destructive but easy attacks can compromise websites, businesses and infrastructure for hours or days, causing serious harm to the systems’ owners.

Some relatively well-known DDoS attacks over the past year or so include one on a series of Dutch government ministry websites, all the way to an (arguably more notorious) attack on Microsoft’s Xbox Live gaming network – the latter of which took place just after Christmas, at a time when customers were eager to use their new products and services.

What is a DDoS attack?

A DDoS attack can be any one of a number of different types of attack, but all of these boil down to the same fundamental principle – a sustained set of requests that overload a website or database and prevent other people from using it. Sometimes the DDoS attack is small enough for the website to withstand it entirely, and sometimes the website is able to continue slowly or with limited functionality. But many of these DDoS attacks will completely disable a system, rendering it useless for hours at a time.

These DDoS attacks are usually brought about using a network of compromised computers, sometimes referred to as a botnet. In a few cases, individual computer users have utilised their own computers to assist in a DDoS attack, using a widely-available piece of free software called the Low-Orbit Ion Cannon. This programme (named after a fictional computer game weapon) has been widely used in DDoS attacks associated with Anonymous, and is a more common strategy in DDoS attacks with political foundations.

The botnet type DDoS attacks are a scary development for the web security industry and law enforcement. These networks of machines are made available on darknet markets for hire on an hourly basis, making a large DDoS attack feasible for anyone with an internet connection and some bitcoin. These services, often operating from relatively lawless areas of the world, seem here to stay – despite the best efforts of Western police forces to take them out of commission.

Arranging the right defences against DDoS attacks

With DDoS attacks being an immensely destructive weapon in the arsenal of cyber criminals, and one that is incredibly easy to access for anyone with a grudge or more sinister intent, it’s essential for businesses to invest in DDoS protection. While most businesses will buy a DDoS defence solution, IT departments must avoid the classic errors that could put their systems at risk of attack.

The most common mistake is attempting to guard their networks using inappropriate tech. For example, Layer 4 protocols will be protected by a network firewall. This network firewall can do deep packet inspection, too. But in order to effectively safeguard against web application layer attacks, you’ll need to terminate the HTTP or HTTPS protocol and even rewrite traffic to identify and treat threats.

A comparison would be using a network firewall to prevent spam emails. It simply won’t work – trying to use the wrong technology to mitigate risk is going to result in failure. Even worse, it creates a false sense of security and complacency that could be incredibly damaging to a business.

How to sift the wheat from the chaff

The central remit of any DDoS defence is to differentiate between malicious DDoS traffic and real, human requests. By challenging the DDoS traffic and allowing real users through, the system can remain working and online. One solution involves reputation intelligence – by using real-time information in conjunction with historical data, the system can screen requests against what it knows about the malicious traffic. This is utterly reliant on frequent, comprehensive updates to the reputation criteria, however.

Dynamic client fingerprinting is another strong defence against DDoS attacks, especially when a DDoS botnet is widely distributed. Challenging suspicious requests with something as simple as a CAPTCHA request can be enough to mitigate a DDoS attack if the systems in place implement your strategy effectively.

Should by DDoS defence be in the cloud?

Cloud solutions to DDoS attacks are very tempting, partly because they are incredibly easy to set up and essentially run themselves. These systems are effective because they redirect all the incoming traffic to your system to the cloud using DNS manipulation, before scrubbing the traffic and delivering it – clean – to the destination server. But it doesn’t take much for a determined cyber criminal to evade these measures and to attack your servers directly. For this reason, having a DDoS defence system on your own premises can be a godsend if you do become a target.

A network firewall will leave your web applications exposed to criminal damage, terrorism, politically-motivated attack and straight-up vandalism. Use a web application firewall, update the reputation criteria of your IP reputation intelligence system, and consider a responsive robot tester. We’re going to see an increase in this type of attack – don’t let your business fall victim.

For more information on Barracuda and their products, visit our website.

For further reading:

In this article

Join the Conversation