Distributed Denial of Service (DDoS) attacks are a real and growing — threat to businesses worldwide. Designed to elude detection by today’s most popular tools, these attacks can quickly incapacitate a targeted business, costing victims thousands, if not millions, of dollars in lost revenue and productivity. By adopting new purpose-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep their business operations running smoothly. Distributed Denial of Service attacks are weapons of mass disruption. Unlike access attacks that penetrate security perimeters to steal information, DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic. Distributed Denial of Service is emerging as the weapon of choice for hackers, political “hacktivists,” cyber—extortionists, and international cyber-terrorists. Easily launched against limited defenses, DDoS attacks not only target individual Websites or other servers at the edge of the network they subdue the network itself.
Attacks have begun to explicitly target the network infrastructure, such as aggregation or core routers and switches, or Domain Name System (DNS) servers in a provider’s network. In October 2002, a harbinger of future large-scale attacks was a crude DDoS attack that affected 8 of the 13 root DNS servers, critical systems serving as the roadmap for virtually all Internet communications. The growing dependence on the Internet makes the impact of successful Distributed Denial Of Service attacks — financial and otherwise — increasingly painful for service providers, enterprises, and government agencies. And newer, more powerful DDoS tools promise to unleash even more destructive attacks in the months and years to come. Because DDoS attacks are among the most difficult to defend against, responding to them appropriately and effectively poses a tremendous challenge for all Internet-dependent organizations. Network devices and traditional perimeter security technologies such as firewalls and intrusion detection systems (IDSs).
Distributed Denial Of Service Security Threat
A DDoS attack directs hundreds or even thousands of compromised “zombie” hosts against a single target. These zombie hosts are unwittingly recruited from the millions of unprotected computers accessing the Internet through high-bandwidth, “always-on” connections. By planting “sleeper” codes on these machines, hackers can quickly build a legion of zombies, all waiting for the command to launch a DDoS attack. With enough zombie hosts participating, the volume of an attack can be astounding. The impact of a successful Distributed Denial Of Service attack is widespread. Site performance is severely compromised, resulting in frustrated customers and other users. Service Level Agreements (SLAs) are violated, triggering costly service credits. Company reputations are tarnished, sometimes permanently. Lost revenue, lost productivity, increased IT expenses, litigation costs — the losses just keep mounting.
Inside Distributed Denial Of Service Attacks
How do Distributed Denial of Service attacks work? By taking advantage of Internet protocols and the fundamental benefit of the Internet — delivering data packets from nearly any source to any destination, without prejudice. Essentially, it is the behavior of these packets that defines the Distributed Denial Of Service attack — either there are too many, overwhelming network devices as well as servers, or they are deliberately incomplete to rapidly consume server resources. What makes Distributed Denial Of Service attacks so difficult to prevent is that illegitimate packets are indistinguishable from legitimate packets, making detection difficult; typical “signature” pattern matching, performed by IDSs, do not work. Many of these attacks also use spoofed source IP addresses, thereby eluding source identification by anomaly-based monitoring tools looking for unusually high volumes of traffic coming from specific origins.
Bandwidth attacks — these Distributed Denial Of Service attacks consume resources such as network bandwidth or equipment by overwhelming one or the other (or both) with a high volume of packets. Targeted routers, servers, and firewalls-all of which have limited processing resources — can be rendered unavailable to process valid transactions, and can fail under the load. The most common form of bandwidth attack is a packet flooding attack, in which a large number of seemingly legitimate TCP, User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) packets are directed to a specific destination. To make detection even more difficult, such attacks might also spoof the source address — that is, misrepresent the IP address that supposedly generated the request to prevent identification. Application attacks — these DDoS attacks use the expected behavior of protocols such as TCP and HTTP to the attacker’s advantage by tying up computational resources and preventing them from processing transactions or requests.