Serg Nvns - Fotolia


Denial-of-service defense depends on multipronged strategy

Ransomware and data breaches may be getting all the headlines, but denial-of-service attacks are on the rise. What can you do to mitigate their effect?

Ever hear the old saying that everything old becomes new again? Well, it's certainly true with denial-of-service attacks. As a matter of fact, denial-of-service, or DoS, usage is actually increasing. A recent report from Akamai Technologies found, for the first quarter of 2016, there has been a 125% increase in DoS attacks year over year. The most recent Verizon breach report, meantime, indicated targeted industries include public sector, retail, financial services and schools -- all of which need to bolster their denial-of-service defense techniques.  

While DoS attacks are not as prominent as ransomware, point-of-sale attacks or retail data breaches, they can affect a large number of users. What keeps these attacks eternally popular is they are easy to launch and difficult to completely defend against. While DoS attacks only target availability, they are an easy way for an attacker to disrupt services.

Using DoS in new ways

Students have discovered the power of DoS attacks. Some student hackers have used this technique as an easy way to get out of a test. Just DoS the application servers for a few hours, and you no longer have to worry about passing an exam. What makes this so simple is DoS offerings are easy and cheap to buy online, and you don't even need to go to the dark web. A simple search for the term, booter, will return hundreds of DoS services. Many booter sites accept payment via credit card, PayPal, Western Union and bitcoin.

What should be clear is the barrier to entry is low and anyone can launch a DoS attack against your company. As a result, it's important to have a denial-of-service defense plan in place before an attack occurs. This plan should address who will respond, what will you do and what defenses should already have been implemented before the attack. To mitigate any potential damage, you will need to identify and detect the attack early.

Separating the good info from the bad

The reality is you should always have more bandwidth than you think you need.

Identification and detection techniques are based on the ability to detect and discriminate legitimate from illegitimate traffic. Activity profiling is one common technique. Activity profiling is performed by recording average packet rates and then flagging any flow deviations. This can be used to notify you that something is wrong. Change point detection is another useful technique. This approach uses statistics and the calculation of a cumulative sum to locate and identify actual network flow versus expected traffic flow.

Maximizing bandwidth and employing load balancing are two other important steps. The reality is you should always have more bandwidth than you think you need. It's not just about DoS, but any other legitimate event that might cause a surge in traffic. Having some additional bandwidth can help in absorbing an attack and can buy a little more time for response. Replication servers can provide additional fail-safe protection. The idea behind this denial-of-service defense strategy is to balance loads on each server in a multiserver architecture to further mitigate an attack.

Slowing down requests to protect your network

throttling is another useful technique. Throttling works by slowing down requests performed on behalf of each user and can potentially block them if they do too many things in too short a time. You should also consider blocking addresses that are simply invalid. You will sometimes hear these referred to as bogon and martian packet filtering. These are simply addresses that are not valid. Examples include unused IP addresses, loopback and Network Address Translation addresses.

Don't forget to review RFC 2827 and 3704. RFC 2827 won't protect against a DoS attack, but it will prohibit an attacker within your network from using forged source addresses that do not conform to firewall filtering rules. It's a denial-of-service defense technique that should be implemented. RFC 3704 is also designed to limit the effect of DoS attacks by denying traffic -- with spoofed addresses -- access to your network. RFC 3704 also helps ensure traffic is traceable to its correct source network. It would also be prudent to discuss black-hole filtering and DoS prevention services offered by your internet service provider (ISP). Black-hole filtering is a technique used to drop packets at the routing level, which is typically done dynamically to respond quickly to DoS attacks.

While these denial-of-service defense techniques can limit the damage of DoS attacks, nothing can prevent someone from targeting your network. To be prepared, you will need to have an incident response plan, build in additional bandwidth, black-hole bogus traffic and consider buying DoS hardware or services from your ISP. The worst thing you can do is to wait until you're under a DoS attack to try and figure out how to respond.

Next Steps

Learn how to protect against mobile malware without sacrificing mobility

A good defense strategy is essential for DoS attack protection

Looking into DDoS defense

This was last published in July 2016

Dig Deeper on Network Security Best Practices and Products