There’s a great variety of attacks and hacks that black hats can perpetrate on your network. Fortunately, you can prevent most of them using an assortment of security measures.
However, a distributed denial-of-service attack (DDoS) is an entirely different story. You can’t thwart a DDoS attack — they attack an IP address or service that’s available to the Internet.
If you can’t prevent such an attack, what can you do to protect your organization? You need to better understand it by learning the three phases of a DDoS attack and learn how to quickly mitigate the attack’s effects.
Understand the attack
A DDoS attack usually entails three different phases. Target acquisition is the first phase: A black hat scouts or recons a network and picks a target IP address. The target can be a Web server, DNS server, Internet gateway, etc. The reason for selection could be financial (someone is paying the attacker), or it could be just for malicious fun.
The next phase is the groundwork phase. During this phase, the attacker compromises a large number of unsecured machines (typically home user machines with DSL or cable connections). He or she then installs software on each machine that the attacker will later use to target your network.
The final phase is the actual attack. The attacker sends a command to each of the compromised hosts (i.e., zombies) and commands them to flood the target with packets, overwhelming the service or choking the bandwidth to a crawl.
A really smart black hat will also command the zombies to forge the source address of their attack packets and insert the target’s IP address as the source — known as a reflector attack. Servers and routers that see these packets will forward (or reflect) replies directly to the source address of the packet (i.e., straight to the target).
Again, you can’t prevent a DDoS attack, but understanding it better will help you mitigate the effects once one begins.
Mitigate the effects
Ingress filtering is a simple strategy that all networks (I hope ISPs are listening) should employ. At the border of your network (i.e., every router that directly connects to an outside network), there should be a routing statement that directs all inbound traffic with a source IP address owned by that network to null. While ingress filtering won’t prevent a DDoS attack, it can prevent a DDoS reflector attack from overwhelming a machine or network.
However, large ISPs seem to be reluctant to implement ingress filtering for some reason. Because of that, you’ll need an alternative to help mitigate DDoS attacks. The current best strategy is the backscatter traceback method.
The first step to this strategy is to recognize that the problem is an external DDoS attack — not an internal network or routing problem. Next, configure all of the external interfaces on your routers to reject all traffic with a destination of the target for the DDoS attack.
In addition, you should already have configured your external router interface to route to null all inbound packets with an unallocated source address. For example:
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
Each router configured to reject the packets will send an Internet Control Message Protocol (ICMP) “destination unreachable” error message packet back to the source IP address contained in the rejected packet.
Next, start sampling your router logs to determine which of your external routers is routing the most DDoS traffic. You also want to identify which IP blocks are your biggest offenders. On those routers, adjust the routing statements to “black-hole” the IP blocks, and adjust the network masks to isolate only the offending IP addresses.
Look up who owns that network block. Contact your ISP and the owner’s ISP to inform them of what’s going on and ask for assistance. They might help or they might not, but it only costs a phone call.
Network service should be available but congested for legitimate traffic. You can remove all of your router reject statements except the ones on the border routers facing the attacking networks. If your ISP and the upstream ISP from the attacking network put up any network blocks, your inbound traffic should normalize quickly.
DDoS attacks may be nasty and unpreventable, but you can diminish their effects. You just need to act quickly and methodically to find the offending traffic and send it to the bit bucket.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.