Cyber-extortionists and other miscreants of the internet have a favorite weapon: DDoS attacks. According to a 2004 Computer Security Institute/Federal Bureau of Investigation study, DDoS attacks accounted for $26 million in losses in 2004.
But in reality, these losses are significantly higher, since many DDoS attacks go unreported due to corporate sensitivity to security breaches and law enforcement's limited ability to address them.
Traditional security mechanisms cannot counter these attacks. By the time DDoS traffic floods the network, the effect is already being felt – the data pipe is jammed with packets, blocking any inflow or outflow from the website or application server.
The very nature of some security technology makes DDoS attacks difficult to thwart. Firewalls and intrusion prevention devices keep unauthorized traffic out of a network. But DDoS attacks carry legitimate traffic as well as malicious traffic.
The key to overcoming this problem is to assess not only content, but also traffic flow behavior. Router filters and other rate-limiting tools can defend against some of these problems, but often cannot respond fast enough to prevent major damage. The goal is to remove malicious traffic from the data pipe before it reaches the perimeter.
Countering a DDoS attack requires a purpose-built, system-level architecture that detects and mitigates increasingly sophisticated, complex and deceptive traffic. To do this, organizations can now work with their telecomms service provider to set up a tightly integrated defense system that can stop DDoS traffic upstream.
Fortunately, more and more telcos offer DDoS security services. But it pays to ask them how they work. For optimal protection, the service should consist of a three-part, systems-based defense that involves detection, diversion, and mitigation.
In some cases, such as large corporations with major data centers, their service providers can deploy DDoS protection directly within the enterprise's network, or the enterprise can take on that role directly.
Regardless of who is doing the installation and protection, the first step in DDoS defense is to set up a baseline measurement of traffic. By creating profiles of normal traffic flows, detection devices can respond more quickly and effectively to abnormal traffic patterns. Because DDoS attacks use large volumes of ordinary traffic to flood a destination, defensive devices must examine and analyze traffic behavior.
While DDoS detection mechanisms look out for aggregate changes in traffic behavior that might signal an attack, DDoS mitigation devices perform a more granular analysis at the user level and sources to determine whether countermeasures should be applied.
When traffic spikes above normal, it is diverted to a "cleaning" center where it can be examined by a mitigation device that separates bad traffic from good. Sometimes traffic exceeds normal limits for legitimate reasons, such as "flash crowds" responding to internet sales promotions, or surges of visits to news sites. An effective DDoS defense diverts all such surges for investigation and filtering.
Using anti-spoofing mechanisms and per-source analysis, the mitigation device allows legitimate users to proceed unimpeded, but drops other sources determined to be "misbehaving" or creating more than their share of the traffic. Once bad traffic is scrubbed, legitimate traffic is returned to the data path.
Solid defenses for DDoS attacks are not yet widely implemented, and creating such attacks is becoming increasingly easy for those intent on mischief and cyber-crimes. By working with telecomms firms to implement systems, architectures and processes that keep malicious traffic from ever reaching the corporate network, companies can avoid service disruptions, damaged reputations, lost custom, and the potential for extortion.
Mick Scully is vice-president of product management at Cisco's Security Technologies Group