A Morality Tale: The Good and Bad of DDoS Attacks, and What to Do About Them

Posted on by John Linkous

It's 4:55 p.m. on a Friday afternoon, and your phone rings. You're a CISO of a large company selling products online. It's your lead SOC analyst calling with a big problem. The moment that you've successfully avoided for your tenure so far has finally arrived: web-facing applications are slowing to a crawl, and customers are calling and complaining. You are under attack—it’s a distributed denial-of-service (DDoS) attack.

In some Internet circles—such as the hyper-libertarian world of Richard S. Stallman, creator of GNU and many of the tools used within GNU/Linux operating system distributions—a DDoS attack is a form of civil disobedience. Evgeny Morozov penned an article defending DDoS attacks as exactly that in Slate back in 2010. In that very same year, cyber activists encouraged people to download and use the open source Low Orbit Ion Cannon (LOIC) software package specifically for the purpose of voluntarily joining botnets to attack online properties. This approach was successfully used to attack the Recording Industry Association of America (RIAA) website in protest of RIAA's actions against those it believed were breaking the law regarding copyrighted material. LOIC was also used by the Anonymous group as part of their Project Chanology and Operation Payback campaigns against the Church of Scientology and websites of companies that opposed WikiLeaks. On January 19, 2012, LOIC was used to simultaneously shut down the websites of the U.S. Department of Justice, U.S. Copyright Office, FBI, RIAA, and the Motion Picture Association of America (MPAA).

The age of the DDoS script kiddies is upon us, and there is no shortage of tools.

Law enforcement, however, does not take the same romantic view of DDoS attacks that activists and their sympathizers do. In countries such as the United States, the United Kingdom, and Sweden, laws explicitly categorize DDoS attacks as criminal behavior. Unfortunately, both hunting down the source of these attacks and stopping them can prove to be incredibly difficult, due in large part to the use of botnets (both the voluntary type mentioned above, and—far more commonly—the involuntary type). The fact that it is so hard to prevent and track down the individual responsible makes it a common attack method. Organizations need a way to solve the DDoS problem.

Organizations have historically relied on content-aware denial-of-service mitigation capabilities within their perimeter network devices to both detect these attacks and drop the associated packets across a broad range of attack methods, including ICMP floods, SYN flood attacks, teardrop attacks, HTTP POST attacks, and the network time protocol (NTP). As time goes by and the average size of a DDoS attack expands beyond the size of many organizations' Internet pipes, more radical long-term solutions are needed.

One option is to look to outsourced vendors who can provide primary scrubbing of all traffic, through massive bandwidth, close peering points to major Internet backbones, and layer-7 analysis of both ingress and egress traffic to and from the network. These solutions effectively become the "outer firewall" of your organization, providing capabilities ranging from DDoS attack detection and remediation, through netflow traffic monitoring and e-mail spam filtering. Both MSSPs and telco providers are eager to provide these services, but the cost can be difficult for some organizations, especially mid-market entities.

Another option is to utilize a DDoS failover provider. When ingress bandwidth exceeds a certain level, or certain patterns that can indicate a DDoS attack are indicated, the failover provider immediately initiates the cutover of network connectivity through their systems. This can occur on several levels, from cutting over the circuit to implementing immediate DNS changes with extremely short time-to-live (TTL) values. With this type of solution, the mitigation service provider is typically looking to sustain the network for only as long as the attack lasts, and usually provides a command center environment to inform customers of the attack's status over time.

Regardless of where you stand on the legality or appropriateness of DDoS attacks, the fact is, your organization needs to have a plan in place today to deal with this threat which, unlike other types of attacks, has no fully-effective defense.

John Linkous

, Technology Advisor

cyber warfare & cyber weapons law

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community