Understanding and defending against Denial of Service attacks
Denial of Service (DoS) attacks continue to be on the rise, which is no surprise given our ever-growing dependency on Web-based services, coupled with the fact that these attacks are relatively cheap and easy to carry out. In this article, we’ll discuss what DoS attacks are, some various types of DoS attacks, tips to keep them at bay, and references to security tools to help you mitigate vulnerabilities.
DoS attacks and their impact
A DoS attack is an explicit attempt to prevent legitimate users from accessing information or services on a host system. It does this by overloading the targeted machine or service with requests, thus making the resource unreachable or unresponsive to its intended users. DoS attacks exploit known weaknesses and vulnerabilities in systems and applications. These attacks aim to consume valuable resources to disrupt a service. Resources targeted include:
- Network connectivity
- Data structures
- CPU usage
- Disk space
- Application exception handling
- Database connections.
Unfortunately, DoS attacks are becoming more sophisticated and getting better at evading detection. They can wreak havoc on organizations by bringing down business critical services and inhibiting Web access to users, which can result in thousands to hundreds of thousands of dollars per day in lost revenue!
Hackers use several methods to deploy DoS attacks. These attacks come in all different shapes and sizes. Let’s take a quick look at some of them:
1. SYN attacks
In a SYN (synchronize) attack, networking capability of the targeted system can be knocked out by overloading its network protocol stack with information requests or connection attempts. A SYN attack exploits known weaknesses in the TCP protocol and can impact any system providing TCP-based services, including Web, email, FTP, print servers, etc.
In a normal TCP connection, the client and server exchange a series of messages to establish the connection, known as the three-way handshake. First, the client sends a SYN message to the server. The server will acknowledge the receipt of this message with a SYN-ACK (synchronize-acknowledgement) back to the client. Lastly, the client responds with an ACK (acknowledge) and the connection is established. Taking advantage of this process, an attacker sends multiple SYN packet requests continuously, but then doesn’t return a response. This means the targeted host just sits and waits for acknowledgement for each request, which ties up the number of available connections. In turn, connection attempts from legitimate users get ignored.
Tips to stay secure: Make sure you have a firewall/security device in place that is capable of detecting the characteristics of this type of attack. Also, be certain that you have the appropriate filters configured, including one that restricts input to your external interface by denying packets that have a source address from your internal network. You should also filter outgoing packets that have a source address different than your internal address scheme. Additionally, ensure you have the latest security patches in place, including operating system and application updates, as well as firmware updates for your network and security devices.
2. Poisoning of DNS cache
DNS cache poisoning exploits vulnerabilities in the domain name system (DNS). In this case, the attacker attempts to insert a fake address entry into the DNS server’s cache database in order to divert Internet traffic from legitimate sites to “rogue” sites. The goal is to lure unsuspecting users to download malicious programs, which can then be exploited by the attacker.
Tips to stay secure: First, ensure you’re running the latest release of your DNS software. You should also configure your firewall to drop packets having an internal source address on the external interface as these are in most cases “cooked-up” addresses. Another important step is to collect and analyze log files from your DNS servers to identify anomalies and suspicious patterns, such as a multiple queries from the same IP within a short amount of time.
3. ICMP/Ping flood
In this case, the attacker sends a continuous stream of ICMP echo requests to the victim as fast as possible without waiting for a reply—in other words, “floods” it with ping packets. This barrage of data packets consumes the victim’s outgoing and incoming bandwidth, preventing legitimate packets from reaching their destination.
Tips to stay secure: Filter ICMP traffic appropriately. Block inbound ICMP traffic unless you specifically need it, such as those tools used for normal administration and troubleshooting. For ICMP traffic you do allow, do so only to those specific hosts that require it. Also, configure appropriate parameters and rate limits on firewalls and routers, such as setting a threshold for the maximum allowed number of packets per second for each source IP address. Additionally, make sure you’re monitoring those device logs in real time to immediately detect patterns of high ICMP volume.
4. E-mail bombs
This type of attack involves sending huge volumes of bogus emails simultaneously, and in most cases, containing very large attachments. E-mail bombs consume large amounts of bandwidth, as well as valuable server resources and storage space. An attack of this kind can quickly bring your mail service to a crawl or crash the system altogether.
Tips to stay secure: In addition to firewalls, you can put other perimeter protection in place, such as content filtering devices. It’s also wise to limit the size of emails and attachments, as well as limiting the number of inbound connections to the mail server.
5. Application-level floods
Application denial-of-service attacks target Web servers and take advantage of software code flaws and exception handling. These types of attacks are common and difficult to defend against since most firewalls leave port 80 open and allow traffic to hit the backend Web applications.
Tips to stay secure: Make sure servers and applications stay up-to-date with security patches. Also, educate developers on the risks of sloppy code and leverage a Web Application Firewall (WAF) to protect against bad code and software vulnerabilities. In addition, you should be logging relevant data from all your business-critical applications.
Security tools to mitigate vulnerabilities
As long as there are vulnerable systems on the Web, there are going to be denial-of-service attacks. And, though some DoS attacks can be difficult to defend against, there are ways to mitigate your risks to these types of cyberattacks.
First and foremost, ensure you systems are up-to-date with the latest patches. Patch management is one of the most critical processes in vulnerability management. You need to apply the latest security patches and updates to operating systems and applications, as well as firmware updates for your network devices, including routers and firewalls.
Next, continuously monitor your systems and devices. Start by creating a baseline and then monitor how the network is behaving to identify anomalies. To do this successfully requires that you have a solution in place that is capable of monitoring and correlating log event data throughout your environment, and very importantly, reacting in real time. This is where Security Information and Event Management (SIEM) solutions come into play. Log management solutions centrally collect and correlate logs from network and security devices, application servers, databases, etc., to provide actionable intelligence and a holistic view of your IT infrastructure’s security.
Another important step is to ensure your firewalls and network devices are configured properly and that you have the appropriate rules and filters in place. Configuration and change management plays a vital role in protecting your network from unauthorized and erroneous changes that could leave your critical devices vulnerable.
Following these guidelines can go a long way in protecting your IT infrastructure and services. It’s much better to implement precautionary measures up front to prevent an attack than to try and recover after one has occurred.