Outage

Mitigate the effects of a DDoS attack


There's a great variety of attacks and hacks that black hats can perpetrate on your network. Fortunately, you can prevent most of them using an assortment of security measures.

However, a distributed denial-of-service attack (DDoS) is an entirely different story. You can't thwart a DDoS attack -- they attack an IP address or service that's available to the Internet.

If you can't prevent such an attack, what can you do to protect your organization? You need to better understand it by learning the three phases of a DDoS attack and learn how to quickly mitigate the attack's effects.

Understand the attack

A DDoS attack usually entails three different phases. Target acquisition is the first phase: A black hat scouts or recons a network and picks a target IP address. The target can be a Web server, DNS server, Internet gateway, etc. The reason for selection could be financial (someone is paying the attacker), or it could be just for malicious fun.

The next phase is the groundwork phase. During this phase, the attacker compromises a large number of unsecured machines (typically home user machines with DSL or cable connections). He or she then installs software on each machine that the attacker will later use to target your network.

The final phase is the actual attack. The attacker sends a command to each of the compromised hosts (i.e., zombies) and commands them to flood the target with packets, overwhelming the service or choking the bandwidth to a crawl.

A really smart black hat will also command the zombies to forge the source address of their attack packets and insert the target's IP address as the source -- known as a reflector attack. Servers and routers that see these packets will forward (or reflect) replies directly to the source address of the packet (i.e., straight to the target).

Again, you can't prevent a DDoS attack, but understanding it better will help you mitigate the effects once one begins.

Mitigate the effects

Ingress filtering is a simple strategy that all networks (I hope ISPs are listening) should employ. At the border of your network (i.e., every router that directly connects to an outside network), there should be a routing statement that directs all inbound traffic with a source IP address owned by that network to null. While ingress filtering won't prevent a DDoS attack, it can prevent a DDoS reflector attack from overwhelming a machine or network.

However, large ISPs seem to be reluctant to implement ingress filtering for some reason. Because of that, you'll need an alternative to help mitigate DDoS attacks. The current best strategy is the backscatter traceback method.

The first step to this strategy is to recognize that the problem is an external DDoS attack -- not an internal network or routing problem. Next, configure all of the external interfaces on your routers to reject all traffic with a destination of the target for the DDoS attack.

In addition, you should already have configured your external router interface to route to null all inbound packets with an unallocated source address. For example:

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255

Each router configured to reject the packets will send an Internet Control Message Protocol (ICMP) "destination unreachable" error message packet back to the source IP address contained in the rejected packet.

Next, start sampling your router logs to determine which of your external routers is routing the most DDoS traffic. You also want to identify which IP blocks are your biggest offenders. On those routers, adjust the routing statements to "black-hole" the IP blocks, and adjust the network masks to isolate only the offending IP addresses.

Look up who owns that network block. Contact your ISP and the owner's ISP to inform them of what's going on and ask for assistance. They might help or they might not, but it only costs a phone call.

Network service should be available but congested for legitimate traffic. You can remove all of your router reject statements except the ones on the border routers facing the attacking networks. If your ISP and the upstream ISP from the attacking network put up any network blocks, your inbound traffic should normalize quickly.

Final thoughts

DDoS attacks may be nasty and unpreventable, but you can diminish their effects. You just need to act quickly and methodically to find the offending traffic and send it to the bit bucket.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.


Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
5 comments
tomofumi
tomofumi

Since our upstream's admin didn't help us to block those incoming traffic, I've done this myself in the webserver using tcpdump, to analyze which ip subnet has the most incoming traffic, then I apply iptables -j DROP to block them all. The traffic pattern is quite easily predictable, and i can block them effectively using their class B address (/16).

BALTHOR
BALTHOR

The hacker's computer must be very different from any other computer that has ever been seen.(there are a lot of hackers)The hackers are actually blocking a web search engine.They are at the FCC level of the Internet.About all that anybody else can do is log on and surf the web.We're using the only Internet that there is!I suspect the Internet design engineers saw the worst case and were hoping that we'd solve it.

upos.geo
upos.geo

I heard they use modified computers boards with hacked OS's. I was offered a hacker BIOS one time, but I said no. Once I was attacked and I couldn't view a web search engine either. I didn't know what to do. Now I know that I should contact the FCC level of the Internet. Thats a good idea. I heard there is a new Internet coming though. I think they call it Internet 2.0 or so I heard that can't be hacked. If I knew how to re-engineer it to solve it, I would. But I can't. I almost became a hacker once but now that I think about it, its good that I didn't! Instead I just use the Internet.

Vortex69
Vortex69

Please rephrase your statement in the form of a Statement. What exactly is the point of your comment?...

Pringles86
Pringles86

I was so confused after I read his post.

Editor's Picks