- Category: April 2011
Distributed denial-of-service (DDoS) attacks, which attempt to cause disruption to an online service or application, have evolved to be more sophisticated, more prevalent and more dangerous than ever.
Its key players are botnets that are able to control million of active PCs that are spewing out spam or pummelling a site with a distributed denial of service attack.
Attacks are usually based on two main weak points: firstly, the sender addresses of the attacking data packet have been forged (IP spoofing), and secondly, unauthorised programs were installed before the attacks on selected computers which send out en masse, remote-controlled, data packets.
With this kind of cybercrime showing no signs of abating and increasing rapidly in terms of sophistication, companies must focus more on keeping their digital environment clean, as such digital pollution obviously brings with it an abundance of malicious software.
Most DDoS attacks seem to be used against websites to saturate their capacity and prevent legitimate users from visiting the websites, when in truth it can be a lot more sophisticated than that. DDoS attackers do not care how they are able to hit mail servers and in general use a number of tactics to reach as many businesses as they can. Dictionary attacks, for instance, are a popular way of doing this when a business’s email domain is targeted with thousands or sometimes millions of randomly generated email addresses by spammers creating seemingly valid email addresses by combining first and last names from dictionaries. Therefore any organisation with an online presence needs to take action to protect itself from these types of attacks.
The German Bundesamt für Sicherheit in der Informationstechnik published useful guidelines for improving protection against Distributed Denial-of-Service (DDoS) attacks. Asian e–Marketing would like to present, in a nutshell, for our readers some useful basic measures to assist them in their defense from or at least limit damage from any potential DDoS attack:
Prevention of IP spoofing
For the IP spoofing used in DDoS attacks, the network agents are the ones who can effectively recognise and prevent any false packets on being fed into the Internet.
Any organisation connected to a network operator has a certain IP address area at its disposal and each IP packet which is sent from this organisation must have an IP sender address from the area. If this is not the case, it concerns a forged address and the IP packet should not be passed on by the network agent.
While IP spoofing is still possible within the allowed address area of the organisation, the circle of possible originators to the organisation is limited. A normal home access into the Internet has just one authorised IP address so that, through such selective accesses, IP spoofing isn’t possible.
Use of packet filters
Servers are often only connected to the network agent through a single network connection. Even if the servers are resistant against DDoS attacks, this network connection is restricted itself in its capacity and can be fully occupied by an attacker so that the servers can no longer be reached from the Internet. For this reason, network agents should consider shielding the network connection of the server operators against DDoS attacks by the use of packet filters, i.e. packet filtering should be carried out on target addresses when the packets leave the Internet. This is in particular very effective when done in co-operation with an attack recognition system with the server operator, the packet filter can be adapted dynamically to the attack which happens to be running.
Establish a contingency plan
In the event of an attack, a rapid response is crucial, as it is the only way to take effective countermeasures to identify the attacker and to restore normal operation within a short period. This is why an escalation procedure should be laid down in any contingency plan. Necessary information includes contact persons, persons in charge, alternative communication channels, instructions for action and the place where resources that may be needed are stored.
Network services which are not required are to be deactivated and those that require secured, sufficient password and access protection and alteration of (in particular pre-set) passwords must be guaranteed in good time. Further, all alterations and all access to the server must be recorded.
Attention must be paid to restrictive granting of access rights to users, to use the system resources made available, and to increased care in alterations to the configuration.
At regular intervals, the file system has to be checked for integrity. If only static data is required, a manipulation-proof, read-only data medium can be used.
Reasonable level of security for computers with Internet connection and quick transfer of security updates
Computers with an Internet connection should reach a reasonable level of security through consistent implementation of IT protection measures. Relevant updates are to be transferred as quickly as possible to eliminate any weak points and to guarantee that dangers can be counteracted.
In addition, as know-how is necessary for working out an effective IT security configuration, administrators have to be adequately trained.
Computers must be prevented from being misused as a starting point for attacks on other computers, therefore daily checking of files for viruses and attack programs is recommended.
Malicious programs can be installed most easily on individual computers through viruses, Trojan horses or through active content (in particular ActiveX). For this reason, a reliable and current virus protection application and the switching off of active content in the browser is strongly recommended. Under certain circumstances, the use of auxiliary programs for on-line protection of the client (for example PC-Firewalls) can be considered.
With botnets continuing to rise and terrorizing the Internet security landscape, email spam will likely not disappear any time soon. Not to mention that mobile spam will become a greater menace as well, simply due to the fact that many users still don’t see the problem here and are very dismissive of it.
Effective measures against Distributed Denial-of-Service Attacks must be taken at many points in the existing complex Internet structure through a concerted campaign. Content providers, server providers, network agents and end-users must act jointly to make the Internet a safer place with respect to endangerment through Distributed Denial-of-Service Attacks.
Source: Bundesamt für Sicherheit in der Informationstechnik