Feb 28 2013

The Three Elements of Defense Against Denial-of-Service Attacks

Businesses can protect their data and their networks by focusing on these core areas of their network.

Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks are the insidious enemy of many enterprises. These attacks, which attempt to disrupt legitimate use of an organization’s website or other network resources, rely on brute force to use all of a server’s or network’s available capacity, leaving none for legitimate users.

The attacks are also difficult to protect against because it’s hard to distinguish requests that are part of the attack from those of legitimate users.

IT workers have three tools at their disposal when it comes to defending against denial-of-service attacks: working with Internet service providers (ISPs) to block attacks before they reach the target network, filtering them at the network border and deploying sufficient capacity to simply absorb the attack.

ISPs: The First Line of Defense

The most effective way to protect against the impact of DoS attacks is to stop them before they even reach a company’s network. That means partnering with the contracted ISP to block the attack at the gateway. This blunts their impact by protecting even network border devices from being overwhelmed by the flood of malicious traffic. Many ISPs offer a “clean pipes” service-level agreement that commits to a guaranteed bandwidth of legitimate traffic rather than just total bandwidth of all traffic.

The availability and pricing of clean-pipes services should be one of the criteria evaluated when selecting an ISP, especially if the company is a likely target of DoS attacks. While this service is not foolproof, a significant portion of the burden of defending against these attacks is placed on upstream providers, keeping the network and security gear available to handle legitimate traffic.

If a clean-pipes service isn’t available from the ISP, several cloud providers offer subscription services that scrub traffic before it enters the network. These services function by serving as an intermediary, receiving traffic bound for the network, filtering it, and passing on only legitimate connections. Cloud-based DoS protection services are available from providers such as Imperva and VeriSign.

It is extremely important to obtain written service-level agreements from ISPs that clearly outline their permitted responses in the face of a DoS attack. This is true whether or not a clean-pipes service is purchased.

Remember, a DoS attack poses a threat not only to your organization but also to the ISP itself. Without written terms to the contrary, an ISP may be tempted to cut off service entirely in the face of an onslaught of traffic in order to protect other customers from being affected by the side effects of an attack on one company.

Border Filtering: Keep Out the Bad Connections

Businesses should also consider deploying specialized DoS protection devices to further guard their networks against attack. These devices sit at the network perimeter and process traffic before it reaches the internal network, filtering out potentially malicious activity. They may be used in conjunction with a clean-pipes ISP service or as a stand-alone solution when ISP protection is not available. Solutions in this category include the CheckPoint DDoS Protector and Radware DefensePro.

Hardware DoS protection solutions work by analyzing network traffic and signature-based detection of known attacks or by providing behavioral analysis of current traffic against profiles of “normal” behavior. Traffic that matches a known attack pattern or fails to resemble typical network traffic is either automatically blocked by the device or flagged for investigation by a security analyst.

It is important to note that DoS protection appliances placed on a business’ own network are only able to protect network segments, devices and servers that are downstream from the protection appliance. Most notably, if a DoS attack is able to completely use up all of an organization’s Internet bandwidth, the attack will be successful, because legitimate traffic will not even be able to reach the protection appliance.

For this reason, organizations should use a combination of border filtering and a clean-pipes service to present a layered defense. Organizations relying solely upon local filtering must significantly overprovision network bandwidth to ensure that the network is capable of withstanding a sustained DoS attack.

Absorbing DoS Attacks: No Fazing This Network

Absorption, the final DoS protection strategy, attempts to prevent an attacker from using all accessible resources by making available more resources than the attacker is able to consume. This involves purchasing sufficient network bandwidth and server and device capacity to absorb significant levels of traffic over and above the typical traffic profile.

While this approach is effective, it can also be quite expensive. However, it has the added benefit of providing an organization with service resilience in the face of both DoS attacks and legitimate unexpected surges in traffic. For example, an organization would be able to withstand both a targeted DoS attempt and a high-profile media appearance that quickly drives large numbers of users to a website.

Many organizations seeking to use this strategy decide not to build this “burst” capacity on their own networks, choosing instead to leverage cloud providers who specialize in rapidly scaling up to meet irregular demand patterns. When demand spikes above levels that the existing infrastructure can handle, the autoscaling service automatically provisions enough additional virtual servers to meet the demand.

Later, as the demand subsides, those services are automatically decommissioned. Amazon Web Services, Microsoft Windows Azure and Rackspace are just a few of the cloud providers that offer this service. Using this approach requires careful monitoring because the automated provisioning of servers can rapidly increase the company’s cloud provider bill in the face of extremely high demand.

There is no foolproof solution to the problem of DoS attacks. But through the balanced use of ISP-based clean-pipes services and DoS protection appliances and by provisioning excess capacity, IT professionals may create a defense-in-depth approach that mitigates the impact these attacks have on an organization’s network.

In many cases, this protection comes with the side benefit of creating a resilient service environment that is able to remain operational even in the face of legitimate demand surges.