//Blogs - 24 Jan 2017

DDoS Mitigation

Denial of service (DoS) attacks have hit the news in Australia, yet again. But what is a DoS attack? A DoS attack is designed to deny access to a computing resource from its intended users. A distributed DoS (or DDoS) attack is conducted by numerous (could be in the tens of thousands) computers against a single host or network. It’s not possible to prevent DDoS attacks, we can only be prepared to mitigate them.

Types of DDoS attacks

An attacker may use a stateless protocol like ICMP or UDP with spoofed source addresses, but it is also common for an attack to be carried out with legitimate network traffic (like HTTP GET requests). In the latter case it can be difficult to block malicious traffic without impacting legitimate traffic. A DDoS is commonly directed at a web site, with a sufficiently large number of requests to overwhelm the capacity of the web server to handle them. In extreme cases, the site’s network equipment may be made unavailable by the volume of traffic they are attempting to filter.

Preparing for a DDoS attack

There are a number of steps that you can take to prepare for a DDoS attack, including:

  • Ensure that senior management is aware of the impact of a DDoS attack and will support your steps to mitigate one
  • Understand your network – knowing what is normal for your network will enable a threshold of activity that indicates the start of a DDoS
  • Keep your OS up to date and hardened – disable any unneeded services
  • Implement firewall measures on your host – an example for linux
  • Implement application protection, like ModSecurity web application firewall and mod_evasive for Apache – note that a large DDoS attack will quickly overwhelm these measures
  • Run a dedicated network firewall that is able to handle a greater load than the one on the host itself
  • Set up your border router with ACLs to allow only valid traffic into your network eg filter bogons and unused protocols
  • Establish contact details for your upstream network provider so that they may be readily contacted in an emergency.

Containing a DDoS attack

The scale of the attack will determine the effectiveness of mitigation measures. It may be possible to contain the attack on the affected host itself, or it may require upstream filtering.

  • Implement filtering based on the attack eg blocking UDP packets
  • Consider disabling the targeted application until the attack stops
  • Implement rate limiting for network traffic to the target
  • Contact your ISP for traffic filtering

Other resources are available; these are recommended reading – Factsheet Technical measures for the continuity of online services, Mitigation Guidelines for Denial-of-Service Attacks and Network DDoS Incident Response Cheat Sheet

List of useful links from the blog + one more

1 https://javapipe.com/iptables-ddos-protection
2 https://www.modsecurity.org/
3 https://www.zdziarski.com/blog/?page_id=442 (and
4 https://www.ncsc.nl/english/current-topics/factsheets/factsheet-technical-measures-for-the-continuity-of-online-services.html
5 https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx
6 https://zeltser.com/ddos-incident-cheat-sheet/