DDoS attacks: What they are and how to protect yourself
by Mirko Zorz - Monday, 24 June 2013.
Ameen Pishdadi is the CTO at GigeNET. In this interview he discusses the various types of DDoS attacks, tells us who is at risk, tackles information gathering during attacks, lays out the lessons that he's learned when he mitigated large DDoS attacks, and more.
While most have heard of DDoS attacks, not everyone knows that there are several types of such attacks. Can you provide an overview of the different kinds and illustrate their severity? What kind of damage can a DDoS attack do?
Well the easiest way to define DDoS is to discuss what it stands for. It really originated from DoS which was short for Denial of Service. The 2nd D stands for “Distributed.” In the late 90's to early 00's, the first true Distributed DoS attacked occurred. If I remember correctly, one of the first publicized tools for executing a DDoS was called “trinoo.” It was the first of its kind, where infected machines were able to receive commands from a central location which is called a botnet C&C (command-and-control). Botnet makers got smarter and instead of hosting the C&C from a single host, they started to use IRC (Internet Relay Chat). The compromised machine would connect to a hostname and port that were hardcoded in the botnet code and connect to a channel where a single chat entry need only entered once, but then be seen by tens of thousands of compromised machines and then execute their attack.
The first widely publicized attack was early 2000's when internet giants such as Yahoo! were taken down. The amount of bandwidth that was required for this would have to have been enormous in those days. This is when the botnet / DDoS scene began to take off.
The goal of a DDoS is to cause a 'denial of service' to the user or end users of whatever is being attacked. This can be done in a few different ways. The three most common are as follows:
1. Saturate the connections that the target has to the internet, thus preventing real users from being able to connect. This is usually done with a UDP flood, and lately a UDP reflection flood.
2. Saturate the CPU of the router or host machine by sending more packets per second then it can handle. When this occurs, pretty much anything trying to connect does not get processed by the CPU of the device nor forwarded to the destination. This is usually done with a synflood.
3. Overload the application with requests that look like real users. An example would be having a thousand servers making a request to your website’s page all at the same time. These days, since websites are primarily database driven, this effect is even greater. The webserver and database servers become overloaded quickly
We've seen a significant rise in DDoS attacks in the past year. What are the reasons behind this trend? What type of organization is most at risk?
The significant increase is a direct result of the misuse of information for marketing purposes. While the method that was used to take down Spamhaus was fairly well known and had been around for awhile, media attention was purposefully exploited by CloudFlare for its own gain. This exposed this type of attack to a much wider audience. It basically laid out the blueprints and also broadcast how massive the DDoS could be if done right and with the proper resources.
Most of the time, people who DDoS have no idea how large a reaction they are generating. They are merely trying to achieve their goal of taking down the target. Well, CloudFlare publicized the size of this attack on a daily basis and it enlightened a lot of new crowd to the method. Although it is believed that the CloudFlare final number of 300Gb/s was quite padded and that the real number was more believably around 100Gb/s, this was still a massive amount of bandwidth. As a result, tools popped up all over the place for scanning host machines to add to your database along with tools to execute the attack. This made the process so simple that a 10 year old with Windows had the ability to point and click and in seconds, generate a few Gb/s of UDP traffic.
The unfortunate truth is that EVERYONE is at risk. Sometimes people get attacked and they have no idea why! The source is often someone who doesn't like one’s business, perhaps a competitor or someone trying to extort money.
How important is intelligence gathering when it comes to mitigating the effects of a massive DDoS attack? What type of information are you looking for?
It is extremely important for the entire online community. Mitigating the attack only stops the attack from hurting one specific target, but if you can find the information that will lead to the C&C, this can be reported to several “white hat” groups who volunteer their time into dismantling these botnets so they cannot attack anyone else. It is also important to figure out who the attacker is, in the event that criminal prosecution can be pursued.
What are some of the lessons that you've learned when you mitigated large DDoS attacks impacting your clients?
I learned quickly that no attack is the same. There is no “one size fits all” device out there that will stop every attack. To be responsible, a person needs to have many different tools in his or her arsenal, sometimes used together along with some manual work, to stop some of the more intelligent attacks.
Never assume that you have seen an attack as big as it would ever get. But also, it is worth noting that size isn't everything. It can actually be the smaller attacks, the ones which look quite similar to normal traffic, which are the hardest to stop.
What advice would you give to organizations interested in getting DDoS protection? How can they make sure that they make the right choice when evaluating providers?
When evaluating any potential provider, look at their history. See how long they have been around and ask for some proof. Check there website for original content. There is smaller company out there who is decently known, but their entire site is plagiarized from different companies who sell DDoS mitigation devices. If they cannot write original text on their own site, then I really would not have too much faith in them protecting my interests as a client.
What are the advantages of using GigeNET DDoS protection? What makes you stand out from the competition?
Without a doubt, our best asset is our experience. We are tried and true. I began defending DoS attacks in 1998 when we used to run a shell server and attackers would DoS other people off of IRC chats.
Paul, our network engineer, started the first fully dedicated DDoS protection company in the late 90's and pioneered many of the methods of protection. We joined forces in 2005 and have been at the forefront of the industry ever since.