Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

DDoS Mitigation

Denial of service (DoS) attacks have hit the news in Australia, yet again. But what
is a DoS attack?  A DoS attack is designed to deny access to a computing
resource from its intended users. A distributed DoS (or DDoS) attack
is conducted by numerous (could be in the tens of thousands) computers
against a single host or network.  It's not possible to prevent DDoS
attacks, we can only be prepared to mitigate them.

Types of DDoS attacks

An attacker may use a stateless protocol like ICMP or UDP with spoofed
source addresses, but it is also common for an attack to be carried out
with legitimate network traffic (like HTTP GET requests). In the latter
case it can be difficult to block malicious traffic without impacting
legitimate traffic.  A DDoS is commonly directed at a web site, with
a sufficiently large number of requests to overwhelm the capacity of
the web server to handle them. In extreme cases, the site's network
equipment may be made unavailable by the volume of traffic they are
attempting to filter.

Preparing for a DDoS attack

There are a number of steps that you can take to prepare for a DDoS
attack, including:

- ensure that senior management is aware of the impact of a DDoS attack
and will support your steps to mitigate one

- understand your network - knowing what is normal for your network
will enable a threshold of activity that indicates the start of a DDoS

- keep your OS up to date and hardened - disable any unneeded services

- implement firewall measures on your host - an example for linux

- implement application protection, like ModSecurity web application
firewall and mod_evasive for Apache - note that a large DDoS attack
will quickly overwhelm these measures

- run a dedicated network firewall that is able to handle a greater load
than the one on the host itself

- set up your border router with ACLs to allow only valid traffic into
your network eg filter bogons and unused protocols

- establish contact details for your upstream network provider so that
they may be readily contacted in an emergency.

Containing a DDoS attack

The scale of the attack will determine the effectiveness of mitigation
measures. It may be possible to contain the attack on the affected host
itself, or it may require upstream filtering.

- implement filtering based on the attack eg blocking UDP packets

- consider disabling the targeted application until the attack stops

- implement rate limiting for network traffic to the target

- contact your ISP for traffic filtering


Other resources are available; these are recommended reading - Factsheet
Technical measures for the continuity of online services
, Mitigation
Guidelines for Denial-of-Service Attacks
and Network DDoS Incident
Response Cheat Sheet


List of useful links from the blog + one more

1 https://javapipe.com/iptables-ddos-protection
2 http://www.modsecurity.org/
3 http://www.zdziarski.com/blog/?page_id=442 (and
https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7)
4 https://www.ncsc.nl/english/current-topics/factsheets/factsheet-technical-measures-for-the-continuity-of-online-services.html
5 http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx
6 https://zeltser.com/ddos-incident-cheat-sheet/