Several years ago, I worked at a small Web site hosting company,
where I first encountered the confusion and havoc caused by a denial-of-service (DoS) attack. On one occasion, after several hours of being unable to access the Internet, customers no longer cared what the problem was — they just wanted it fixed.I determined that the traffic was HTTP requests, so I focused on checking Web servers. We hosted a number of popular Web sites, and I checked these first.
The size of one Web server log file was considerably larger than any of the others by several orders of magnitude. And one solitary IP address was requesting the same URL over and over again. While the Web server itself was operating fine, the traffic was saturating our 1.5Mbps T1 Internet circuit and cutting off customers.
To identify where the flood was coming from, I used Nslookup and found the domain name for the IP address causing the problem, which whois resolved to another local hosting company. After several phone calls to the competitor's technical support number and a lengthy discussion with several technical staff members, the flood of traffic finally stopped.
I never received a clear answer about what happened to knock us offline. But the company folded during the dot-com crash, and a former technical support staff member later told me the attack was intentional — a conclusion I had already come to myself.
Unfortunately, DoS attacks have evolved into much more than one company trying to cause problems for another. With broadband access almost ubiquitous, there are no longer "simple" DoS attacks.
As we've seen, compromised broadband hosts under remote control can knock out even the biggest Internet companies, including Google and Microsoft. Writers of malicious code know that the majority of broadband computers are poorly maintained, making them ripe targets to install Trojan programs to later use for remote control as a botnet.
These days, the number-one threat to the Internet as a whole is the targeted distributed DoS (DDoS) attack, which uses vast armies of compromised broadband computers. Fighting a DDoS attack is like trying to swim up Niagara Falls.
Most Internet companies, even those staffed with the best IT pros, can do little to abate a DDoS flood without a lot of work and assistance from upstream ISPs. And non-Internet companies generally have no idea when they're under attack — they often don't even know what's going on.
The writers of DDoS attacks know this all too well. There are already documented cases of extortion using the threat of DDoS attacks. Stopping and recovering from a DDoS attack takes time, money, and skilled staff.
DoS and DDoS attacks are not a new threat; they've been terrorising the Internet for years. And yet, only a few vendors offer products that can help defend networks from DoS attacks, and even those tools can't withstand a sustained DDoS attack.
DoS is the new plague of the Internet — just ask Google and Microsoft. But after all these years, we're still no closer to learning how to deal with this problem.
DDoS attacks are on the rise. And unfortunately, while most organisations won't necessarily be a target for attacks, they'll still be a victim of their effects.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
Talkback
Jonathan's article is interesting, but based on personal opinion and experience. The concluding sentiments that we know little more about Dos after all these years, and that few vendors have a solution, especially against sustained DDoS attacks, is simply untrue.
Unfortunately, these kinds of article do little to help swing the balance of power in the favour of potential victims, but rely on their scare tactics to attract readers. Stories of people or organisations actually winning against adversity obviously don't 'sell' as well, yet would be far more worthy of the print space, I would argue.
Jonathan's article is interesting, but based on personal opinion and experience. The concluding sentiments that we know little more about Dos after all these years, and that few vendors have a solution, especially against sustained DDoS attacks, is simply untrue.
Unfortunately, these kinds of article do little to help swing the balance of power in the favour of potential victims, but rely on their scare tactics to attract readers. Stories of people or organisations actually winning against adversity obviously don't 'sell' as well, yet would be far more worthy of the print space, I would argue.
The trick is to talk with your upstream provider (usually your ISP) and find contractual ways to make them seriously liable for such delivery problems that increase significantly the longer it lasts. Sure, that will increase the price tag but that'll also give your upstream provider budget to invest in customized router filters at their end or even specialized equipment or whatever. And if your upstream provider doesn't want such responsibility then maybe another one will. But usually they'll realize that with a little bit of extra effort they can get that much extra profit. Just make sure that if you're the one footing the bill for the initial setup that you gain exclusive rights, share in the profits or otherwise pay a small subscription based fee.
DDoS attacks are basicly logistical wars targetting bandwidth weaknesses. So the point of defense is there where there's enough bandwidth available to not experience problems with a DDoS attack and usually that's upstream somewhere. Also, there's nothing stopping your upstream provider to forge an alliance and start setting up distributed defense with their own upstream providers..