Doug Picotte | October 27, 2011
Salutations, pop culture and security lovers! I have been fighting a cold for the last two weeks. During this last week however, I decided to simply go into denial mode. I kept telling myself I was not sick. I still felt lousy physically while kidding myself, but in some small way I felt better mentally. We play the same denial game up here in the north with the weather this time of year as well. You can still see folks walking around in shorts and sandals in 40 degree temperatures! Speaking of being in denial, we have recently observed an influx of Denial of Service (DoS) and Distributed Denial of Service (DDoS) incidents within our lovely industry.
DoS and DDoS Attack Overview
I would like to take a moment to outline a typical DoS/DDoS attack and then mention some possible defensive strategies to prevent the attack (or, perhaps more appropriately, minimize the impact of the attack). Keep in mind that there are many types of DoS and DDoS attacks, and there is no “silver bullet” to prevent such attacks. Here is an example of how a typical Denial of Service attack may by waged against a target:
1. A phishing email or bad web site link will direct an unsuspecting client to a malware site where the user will become infected (compromised) in some way. This is not nearly as difficult as it sounds. Some research has shown that as many as 7 of the top 10 hits in a Google search will return results that are poisoned in some way.
2. Compromised computers, (often referred to as a “Bots” or “Zombies”) are now waiting for instructions to “attack” based on the command and control hacker instructions. These systems may sit, essentially idle for some time before they are instructed to “attack!”.
3. Compromised computers launch their DoS or DDoS attack against the target (often times via UDP ports 53, 80, and 443).
DoS and DDoS Defense Strategies
Here are some general defense guidelines that you may consider to prevent (or minimize) a DoS or DDoS attack should you ever experience such an attack:
1. Create Action Plan
Create an action plan on how to proactively prepare for and respond to a DoS/DDoS attack. Once an attack starts, it is too late to figure out how you are going to handle it, so at least plan now so you have a better appreciation for follow-on steps later.
2. Information Gathering
Set up defenses by identifying infrastructure components with the ability to provide detection, defense and prevention of DoS and DDoS attacks. Ensure these systems are being monitored 24x7x365. Palo Alto and McAfee products are just an example of vendor products that have DoS and DDoS attack prevention capabilities.
3. Understand ISP DoS Options
Does your ISP offer DoS/DDoS protection services? If so, validate whether or not your ISP can put in DoS/DDoS blocking rules to protect against common DoS/DDoS attack vectors. If they do, and it’s affordable, purchase it.
4. Implement and Tune Mitigation Technology
Implement appropriate blocking/shunning rules in IPS to address volume based and packet based DoS/DDoS attacks. Implement appropriate blocking rules in the firewall to address volume based and packet based DoS/DDoS attacks. Drop fragmented and non standard traffic at the internet router. Implement rate limiting and threshold triggers.
5. Review Lessons Learned After Attacks
The best option is to have a plan in place prior to an attack. It is important to perform a post-attack debrief to identify lessons learned and implement changes to minimize the impact if a similar event occurs again.
6. Leverage Monitored and Managed Services
Insure that critical infrastructure asset monitoring is implemented to provide early warning and consolidate detailed information in a manner that makes it easier to minimize the impact of an ongoing attack. Consider hiring outside professional managed IDS/IPS and firewall services to enable the quick implementation of emergency actions to minimize the impact of an attack.
Until Next Time
Special thanks go out to Shawn Oberg for his assistance with this month’s blog. Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!
POST A COMMENT