Designing and Deploying Effective Defenses Against Denial-of-Service Attacks

One of the worst things a company can endure is watching helplessly as its web site goes under attack by hackers. Several of the most popular sites on the web - from Yahoo! to Microsoft - have experienced severe financial losses after their sites went down because of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. According to a recent study by scientists at the University of California San Diego's supercomputing facility, more than 4,000 DoS attacks occur each week. Even more troubling is the fact that DoS attacks are likely to increase as hackers improve their skills and new weaknesses in source codes are uncovered. In the wake of the September 11 terrorist attacks, Gartner, Inc. is advising users to ask ISPs for contractual denial-of-service protection. During September and October this year, Code Red and Nimda worm viruses infected computer systems worldwide, leaving them more vulnerable to attackers seeking zombie systems for DDoS attack activities.
Instead of hacking into target systems to steal passwords or other sensitive information, DoS attacks overwhelm the target systems with massive amounts of bogus and/or defective traffic that are intended to undermine the systems' ability to function normally. DoS attacks illegally consume scarce, limited and non-renewable resources, thereby robbing legitimate system owners and users from exercising their access rights.

DoS attacks can take a number of different forms, with new DoS threats constantly emerging even as defenses are developed for existing attack modes. Some of the most prominent DoS attacks experienced to date include:

  • TCP-SYN flooding ('SYN ACK') attacks initiate a flood of handshakes and ignore the server's acknowledgements, thus preventing the servicing of legitimate handshake requests.
  • 'Teardrop attacks' send packets with overlapping offset fields, making it impossible for the targeted server to correctly reassemble the packet fragments.
  • 'Smurf attacks' spoof the target system's IP address and broadcast Internet control message protocol (ICMP) ping requests across multiple subnets.
  • 'UDP flood' attacks generate very high numbers of packets to consume available bandwidth between systems.

Distributed denial-of-service (DDoS) attacks amplify the adverse impacts and reach of DoS threats by subversively co-opting large numbers of individual computers, using them to transmit bogus traffic at the target network from many different directions at the same time.

Effective protection against DoS and DDoS attacks must span the whole spectrum of countermeasures and prevention techniques, deployed across all levels of the network infrastructure, including individual LANs and enterprise networks, as well as throughout the network cloud. Reliable firewall solutions are needed to prevent unauthorized traffic from clogging shared transport structures, to protect private enterprise-level networks and also to prevent co-opting of local resources for use in DDoS attacks.

DoS and DDoS attacks can only achieve their disruptive objectives when the flood of unauthorized or corrupt transmissions is able to exceed the ability of the targeted network servers to sense and eliminate the illegitimate traffic. In the battle against the constant evolution and escalation of DoS assaults, service providers and enterprise network administrators are increasingly turning to the use of specially-tailored hardware/software solutions as their first line of defense. Deployed at critical points throughout the network edge and transport cloud, these specialized devices are designed to deliver firewall protection and virtual private network (VPN) services that include real-time on-the-fly detection and disposition of DoS attacks.

Because the illicit goal of DoS attacks is to disable network resources, it is not enough simply to identify that an attack is occurring. Unless the preventive mechanisms can actually segregate the bogus traffic and gracefully divert it away from the ongoing flow of legitimate traffic, then the attackers have won by default. Today's more advanced firewall solutions address this issue through the use of a multi-tiered hardware/software architecture, which separates the data-path (or 'fast-path') flow from the control-path. The dynamic establishment and maintenance of distinct 'sessions' within the firewall structures allows the unimpeded flow of legitimate traffic from sources that have been authenticated, while simultaneously scrutinizing all other traffic to detect and identify illegitimate transmissions. When evaluating firewall products for their effectiveness against DoS attacks, customers should look for testing results that confirm sustained performance of existing sessions, without any adverse impacts from new connections or attacks.

The most advanced firewall products use a process called 'protocol inspection.' For example, the first few packets of a particular connection would typically be routed across the control path to authenticate the validity of the source and the traffic types, after which the balance of traffic for that authenticated session could then be delivered directly across the data path. Because the firewall's control path is physically separated and totally independent from the data path, if the system comes under attack using a flood of unauthorized traffic it has no impact on legitimate connections already assigned to the data path. Today's leading VPN/firewall appliances have implemented the data path/control path separation mechanisms in high-speed ASICs in order to provide sustained wire-speed performance throughout the DoS defense system.

In addition, by incorporating a sophisticated probability model within the control path, state-of-the-art firewalls can further reduce the impacts of DoS attacks by weeding out bogus traffic on-the-fly, while minimizing performance effects on the authentication and flow of normal traffic. While most firewall devices allow establishment of pre-set threshold levels for authorized connections and traffic, the typical response of rejecting all excess traffic plays directly into the hands of DoS attackers. Because no distinction is made between legitimate and illegitimate traffic, 'good' traffic above the threshold is refused right along with 'bad' traffic, thereby negatively impacting network performance. This exacerbates the problem because it requires the good traffic to be sent again, which further adds to the network congestion. In contrast, the use of a probability model ASIC enables the system to keep functioning gracefully at acceptable performance levels even when the thresholds have been exceeded.

Instead of arbitrarily discarding all good and bad packets that are above threshold parameters, the probability model is designed to qualitatively segregate the excess traffic and forward those packets that meet certain criteria. Experience has shown that there are distinct differences in the behavior of good vs. bad packets. For example, good packets tend to follow established protocols and exhibit consistent patterns of re-transmission and persistence, as compared to the non-predictable behavior of many bogus DoS packets. By combining on-the-fly protocol inspections and behavior analysis within the probability model, today's most advanced firewall devices are able to re-assign high levels of legitimate traffic to the fast-path, even while under DoS attack. Our company has discovered in real-world testing of ASIC-based VPN/firewall appliances, that a well-tailored probability model in combination with a multi-path architecture can enable more than 90 percent of good traffic to be forwarded gracefully even when simulated DoS attacks have exceeded the pre-set network thresholds by as much as 300 percent.

Tight integration of hardware and software functions is required to ensure an optimal blend of sustained performance and comprehensive protection within pluggable appliances that provide both standards-based interoperability and cost-effective deployability. At the fundamental hardware level, high-performance custom programmable ASICs are required to deliver wire-speed sustained packet inspection and dynamic establishment of robust stateful firewall structures. In addition, from a software perspective, pluggable firewall appliances need to leverage existing standards and network environments in order to enhance the ease and flexibility of deployment by network administrators. To allow for widespread installation of complementary solutions across both service providers and enterprise environments, it is also critical for the industry to have access to complete families of interoperable rack-mountable firewall appliances that cover the full range of price/performance requirements, from a few hundred Mbps up through multi-gigabit levels.

Besides detecting and preventing external DoS assaults, comprehensive integrated firewall appliances also need to monitor internal traffic that is exiting the local networks as well as protecting local resources from becoming co-opted as part of DDoS attacks. From a service provider perspective, it has become critical not only to assure uninterrupted service to their users but also to simultaneously monitor IP addresses of egress traffic to prevent their servers from becoming part of distributed attacks on other providers or users. In fact, with the rise of high-profile DoS attacks, many service providers and network administrators are closely watching the potential liability issues associated with having their resources hijacked for use in external attacks.

Ultimately, the effective detection and prevention of DoS and DDoS attacks will require much more than the random deployment of isolated islands of protection. Because such attacks are designed to leverage both the widespread inter-networking infrastructure and the communications standards that make it work, denial-of-service assaults cannot be completely thwarted by individual point-solutions. While it is certainly the inherent responsibility of service providers and enterprise administrators to take appropriate steps to monitor and protect their own networks, the comprehensive eradication of DoS threats will necessitate the pervasive deployment of intelligent, integrated and interoperable firewall solutions at critical junctures throughout the internetworking infrastructure.

Vince Liu is president, CEO and co-founder of RapidStream, Inc.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.