DoS Defense is a Two Way Street

Whoa! Someone wake me up from my drug induced hallucination. I'm checking out the news wires and I see visions of Smurfs and Fraggles dancing in my eyes. It's been a long time since I've thought of those endearing blue and orange folks that spawned so many drinking games, so long ago. But enough about my misspent youth.

I'm actually referring to a cutesy press release from Panda Software about Denial of Service attacks (DoS). DoS involves flooding a network (or device) with an ungodly amount of traffic, effectively bringing down the network of the victim. Smurfing and Fraggling were two common DoS attack techniques.

In the good old days (like 3 years ago), very high profile sites would be subjected to coordinated DoS attacks and would be impacted and even brought down. Nowadays, this is less of a problem for the mega-sites that can afford to employ sophisticated network architecture defenses and throw lots of money at ensuring the problem doesn't happen. Larger ISPs are also much more adept now at controlling DoS attacks. They've got all the fancy equipment. It's been a while since DoS was prominent in the news.

But recently, the enterprising guy that started the Million-Dollar Homepage was subjected to a shake down from mobsters looking for protection money. Read CNET's coverage. Yet, the tool of destruction wasn't breaking the guys kneecaps, it was taking his site down in a coordinated DoS attack. 

This poor guy's ISP was basically rendered useless because it was a small shop that couldn't afford sophisticated defenses. So what would you do if subjected to this kind of attack?

First, you try to find the perpetrator, right? Well, that's not going to happen, since DoS attacks are launched by an army of zombie computers, acting on the direction of the zombie controller. So it's kind of like being subjected to death by 1000's of cuts, except there are probably 10,000s of computers blasting your network.

Maybe you can implement a network firewall as Panda suggests in their press release? Well, duh! Sure a firewall can stop the traffic, but the whole concept of the DoS attack is to send massive amounts of traffic that makes your equipment wilt (and maybe the equipment of the ISP) under the flood, bringing down your network. That seems like a very simplistic answer to me.

Basically, the good news is that it's very very unlikely that you'll be directly targeted by a DoS attack. If you have a highly popular website, the odds go up. If you are targeted, here's what you do:

1. BUY A BIGGER FIREWALL THAT ISN'T GOING TO MELT - There is equipment out there that will both block traffic (firewall) and prevent intrusions (IPS) at wire speed. If you are under attack, buy one now. Then your network won't be the issue, next you need to...
   
2. Work with your ISP to make sure their network can shut down the points of attack - This is hard, but needs to be done in the stream of the attack. Even if your network is up, the ISP still needs to be able to deliver the traffic. If your ISP isn't up to that task...
3. Find a new ISP that is - The big ISPs are very experienced in dealing with these situations. It will cost you an arm and a leg to have them fix it, but does that cost more than having your network (and therefore probably your business) down? Probably not. It's always good to ask for foregiveness, so...
   
4. Notify your customers as to what is going on - Customers are your lifeblood, and if you are honest with them about the fact that you are under attack and working to remedy the situation ASAP, you will get a pass. For a little while anyway. Then, revenge is usually on your mind, so...
   
5. Work with the authorities to try to catch the attackers - OK, this is a long shot, but it's good to do the right thing and report this. Maybe someone will get lucky and find them.
   
6. If you are religious, you may want to pray a bit - Who knows, maybe divine intervention can help... (I'm kidding on this one)
   

1. Throw in some anomaly detection equipment - This equipment will quickly pinpoint and adapt to out of the ordinary spikes in traffic. This is expensive stuff, but it's a cost of doing business. Just ask the Million Dollar Homepage guy.
2. Make sure you stay very friendly with your ISPs - Notice I used the term ISPs (like plural - you use multiple ISPs for diverse routing and contingency planning, RIGHT?). You also need to have a well orchestrated plan in the event of another attack. Remember, fool me once - shame on you. Fool me twice - shame on me.
   

Now part of being a good netizen is to also ensure devices on your network are not zombies that can be used to launch DoS attacks on someone else. So, using endpoint security products on your network devices (especially the mobile ones) keeps spyware and other Trojans at bay. If your network is substantial, implementing anomaly detection is also a good thing. Right now, these are stand-alone devices, but the capability is being rapidly integrated into intrusion prevention and network switching fabrics. So you won't have to pay big bucks for network-based anomaly detection, it will be thrown in for good measure. Don't you just love the technology business?

And most of all, don't pay the money to the mobsters. It sets a really bad precedent. Don't you watch the Sopranos?