By Sam | May 20, 2013

DDoS, DNS, ICMP, oh my!

Are you wondering when this DDoS issue really got rolling? Here is a post written by Robbie Wright (OGO Director of Implementations) from early 2012 looking at what was beginning to happen with the DDoS attacks on financial institutions.

The technology world is full of acronyms. Unfortunately, many of the hackers in the world like to use those acronyms as tools against us. In the past two weeks. we have seen massive DDoS attacks launched against a number of large banks across the US. These attacks have been successful in temporarily restricting access to the banks’ customers during the attacks.

JP Morgan Chase, Bank of America, Wells Fargo, and others have all been hit by these attacks recently. Hamas has claimed responsibility for the attacks and all of the banks are working with the Department of Homeland Security directly as well as some specialty networking teams to help stop these types of attacks. The banks haven’t released the nature of the attacks yet, but attacks of this size generally originate from massive botnets around the globe. They generally attempt to swamp the intended target with more traffic then they can handle.

Security consultant Alperovitch said the volume of phony demands on bank sites was two to three times heavier than previous records for denial of service attacks, and 10 to 20 times higher than the average such attack. Still, the onslaught so far has had a “very limited impact,” resulting in only brief shutdowns of websites.

 

Imagine 10,000 users attempting to download a 1 meg file from your website as frequently as they can. Then imagine, with the size of these banks, having 100,000 people logged into online banking at the same time. On a normal day. They have the infrastructure, and money, to handle those types of loads so the size of the attack against them would be quite large. Many of these types of attacks are launched using common networking protocols, such as ICMP, and just request a large payload.

More frequently now, attacks are using DNS servers around the internet that are misconfigured. They select the IP of the target they’d like to attack, like your web site, and send a fake DNS request to one of these misconfigured DNS servers. They send the request with your IP address so the DNS server returns the response to your server. The attackers can also force the DNS server to respond with large packet sizes rather than the standard small packets.

This is exactly what happened to CloudFlare, a cloud company that provides performance and security tools to their clients. They were the recipients of a, well actually one of their clients, a very large (65 Gbps) DDoS. They have a great explanation of the outage they experienced and some great technical details of the DDoS attack.

With both the banking sector attacks and CloudFlare’s recent attack, there are a few key things to take away:

1. Plan on your website, service, whatever being down. Assume it will happen and make the plan now so you aren’t running around like a chicken with your head cut off the day it happens.
2. No matter how much money/budget/technical ability you have, a dedicated attacker will be able to bring you down. It just becomes a matter of how fast you’re able to recover. It might be 10 seconds or 10 hours.
3. Both of these examples the targets had enough excess capacity to handle many of the small incidents without issue. Think about it like RAID on a server or having battery backup. You lose power for 10 seconds, your batteries step in and nobody knows any better. A hard drive fails and RAID takes care of it with end users never knowing. Have more capacity then you need on your telcom.
4. Communicate proactively with your end users during the event, hopefully with tools outside your network. Think Twitter, Facebook, or a blog hosted elsewhere.

Related Content:

How Much Can A DDoS Attack Cost Your Business?

How Many Kinds of DDoS Attacks are there? – Part 3

5 Ways the Cloud Can Save You Money

Have Questions? Contact Us: