RE: Tactics for surviving heavy DDoS attack?

["Mark Brunner" <mark_brunner () hotmail com>]

-Offset,

There are some "Best Practices" and product available.  You just have to
look around.  A lot.
Denial of Service is one of the toughest attacks to anticipate, and most
(all?) solutions are still reactive.  Mostly what YOU can do is damage
control.  Here are some of the findings that came out of a private paper I
did recently.

Most DoS is now distributed (DDoS).  
Most DDoS is generated by botnet infected systems.  
Most botnet infested systems are home and transient users.
Most common targets are websites and email servers.
Most DoS that takes place on other targets (production networks) is
coincidental (they are DoS'ed by systems generating spam or other attacks
from their own network), to distract from or enhance another type of attack,
or is maliciously targeted due to frustration with the attacker's inability
to penetrate other defenses.
Most production network (ability to see the 'net) is caused by internal
configuration change, internal malware infection, and disgruntled
employee/customer/competitor/extortionist.  (For some reason, extortion is
currently more common in the UK?)

Some "Best Practices":
1) Build that relationship with your ISP.
Talk to them about it, negotiate service if not provided free, and prepare
for the eventuality.  Most ISP's suffer when their clients are attacked with
DoS, so they have a vested interest in working with you to identify and
remove the source.  They will probably have already established the
necessary upstream contacts or have better positioning than you to establish
them quickly.  Most large ISP's are now monitoring traffic in some manner to
detect botnets and other malfeasance.  Plan, plan, plan.  Know who to call.
Make sure they know who to call...

2) Prepare ACL's for your edge and internal routers.
You can't anticipate where the attacks are going to come from, but once the
traffic that is causing you grief is detected and identified, you can shun
it or direct it elsewhere.  Do ingress and egress filtering.  Have rules
ready to modify and disabled in your configs, or stored close at hand for
quick insertion.

3) Upgrade to modern devices.
Look for routers and firewalls that can allow you to adapt traffic volumes
or do traffic shaping.  If one IP or a group of IP's is hogging bandwidth,
establishing half-open sessions, or generally misbehaving, you can drop all
or some packets.  Modern devices should be able to slowly reduce these
connections to a trickle.

4) If your budget allows it, buy a DDoS solution.
Very expensive, and really something to convince your ISP to purchase, but
some businesses do have money...

5) Expand your bandwidth capabilities.
You can always do as suggested elsewhere, and invest in larger pipes, or
secondary pipes to swap over to.

6) Darknets, honeynets, etc.
There are techniques that will allow you to detect the precursors to attack,
gaining a slight advantage.  Setup an area that should NEVER see traffic,
and as soon as it does, you have the first precursor to attack of SOME sort.

7) Know your network.
Baseline normal traffic for a period of time and monitor for changes.  This
should alert you to the need to take further action.  Have an MSSP monitor
it if you haven't the resources internally.  Have the ISP block the
offenders upstream and contact the upstream provider.  This should not be
new to them.

8) Know your enemy.
DoS is a symptom as well as an attack.  Botnets are used to generate DoS
traffic.  Look for them ISNIDE your OWN network.  Educate your home users.
Home PC's are the most common surface attacked and compromised by bots.
Here is a recent paper discussing how the Storm Worm was analyzed and
dissected, and its relationship with DoS.
http://www.usenix.org/event/leet08/tech/full_papers/holz/holz_html/

9) Use technologies you already have.
Look into darknets, honeynets, monitoring services, etc.

10) Don't try to protect everything at once.
Know what is the most valuable asset to protect, and focus on that.  Common
DoS targets are email (90% of email is now spam, and if that isn't DoS...)
production network, website.  Protect each asset as it needs to be
protected.  Don't necessarily expect that a solution for web protection
(like collocating or multiple routes) will protect more than what it is
designed for.

11) Practice and test.
Once you have a solution, run your solution through its paces, no matter
where it is located.  Arrange for tabletop exercises, simulations, and DO at
least one real-world DoS on your solution!  The time to test is BEFORE it
really happens.  Repeat your tests on whatever schedule is realistic in your
environment.

These vendors would be more than happy to talk solutions with you.
Cisco: http://www.cisco.com
http://www.arbornetworks.com/
http://www.toplayer.com
Prolexic Technologies:  www.prolexic.com
IntruGuard: www.intruguard.com/
DDoS Solutions:  http://stopddos.org/

Check out Tech Republic, Security Focus, Search Security.com, and SANS for
newer materials.  There are also blogs and feeds that deal specifically with
this subject.

Cheers!
Mark

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ali, Saqib
Sent: Wednesday, April 16, 2008 11:10 AM
To: security-basics () securityfocus com
Subject: Re: Tactics for surviving heavy DDoS attack?

i don't think there is any real solution to a DDOS attack. It is a
problem for both carbon-based life and cyberspace alike.

saqib
http://doctrina.wordpress.com/

On Tue, Apr 15, 2008 at 5:00 PM,  <offset> wrote:
> I haven't been able to find any information regarding how to survive a
sustained
>  heavy DDoS attack (ie. greater than 2G/sec) from a providers perspective.
I see
>  a lot of information on what DDoS is, how not to be an amplifier, etc,
but
>  not much on best practice router/switch configs, hardware/solutions to
stay alive
>  during a DDoS attack, etc.
>
>  If you are an ISP, other than calling your upstream provider to null
route the
>  target IP, what other options are available?
>
>  -offset



-- 
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net