Author Topic: Know Your Enemy’s Weapons  (Read 565 times)


  • Administrator
  • Green Belt
  • ***
  • Posts: 225
  • Karma: +0/-0
Know Your Enemy’s Weapons
« on: July 07, 2014, 07:54:14 AM »

What is a DDoS Attack:
A DDoS attack is a brute force or subversive attack against a server or computer. The goal of a DDoS attack is to hamper or stop communication between a website, or server and its users. A DDoS has five major ways to accomplish this, Consumption of computational resources, Disruption of configuration information, Disruption of state information, Disruption of physical network components, Obstructing the communication media. Each of these tactics targets a specific part of a network, and exploits its weaknesses. In order to defend against a DDoS attack one has to know what your vulnerabilities are. Once those are defined, then coming up with a counter strike will be much easier.

Defending against attacks like this require more than one line of defense. If only one line of defense is used then the DDoS attack will do as Germany did to France’s Maginot Line, and go around it. Plugging holes in security and over lapping security measures will keep hackers out of a system and keep your server running smoothly. DDoS attacks can also be used to cover up other actions, such as information hijacking, and malware insertion. DDoS attacks can cause critical data, traffic and hardware loss. Shore up the defenses and draw the line, otherwise hackers will storm the gates.

Defending against a DDoS: Know your weapons to fight against DDoS

There are different ways to defend against DDoS attacks. Some are preventative, while others are active.

Firewalls: Use simple rules to defend a network to allow or deny IPs, protocols, and ports however due to where the firewall is located in the hierarchy of the network the firewall cannot determine good traffic from bad traffic, but it can be used to stop internal flooding attacks.

Switches: Most switches have a built in automatic control list capacity. They may also have an automatic or system wide rate limiting, traffic shaping, delayed binding, also known as TCP binding, deep packet inspection, and Bogon filtering, this filters out bogus IP addresses.  These controls are preset by the manufacturer, or set by the user.

Routers:  Same as switches, routers also have a rate limiting ability and automatic control list capacity; these controls can be manually set.  However routers can easily be overcome in a flood attack. Adding rules to the router to remove statistics from a router during a flood attack, it will further complicate the matter. Some routers like CISCO IOS have features that prevent flooding.

Application front end hardware: This kind of hardware is places on the front end of the server to block flood attacks. This type of hardware can be used as part of a staggered defense against attacks; the front end hardware is the first line of defense, followed by routers, and switches. The application scans and categorizes incoming packets, and labels then as priority, regular, or dangerous.

IPS based prevention (Intrusion prevention systems):  These systems are useful if the attack has a signature. If the content of the attack is malicious, then the system works, however smarter attacks use legitimate content, but have bad intentions. This is where an intrusion becomes hard to detect until it is too late. An IPS based on content cannot block a behavioral based DDoS attack.

Prevention via proactive testing:  Testing platforms are used to simulate DDoS attacks and show weak points in a networks security. This allows automated and manual systems to be used actively to make sure they can hold the line when the system is attacked. Test platforms such as Mu Dynamics are used in this.

Black holing and sink holing: Black holing is sending all traffic to an affected server to a nonexistent IP address. In order to make the process more efficient and mitigate traffic to the server, an ISP can be use.  Sink holing, is similar to black holing, but instead of the traffic being sent to a nonexistent, non working IP, the IP works, but scans the incoming traffic and filers out the bad traffic.

Clean pipes:  This method uses a proxy to scan all incoming traffic and filter out all questionable traffic, usually related to DDoS attacks and malware and spyware.
Winning the fight against DDoS attacks:

The fight against DDoS attacks requires being prepared with the right equipment and knowing what your systems vulnerabilities. Having multiple layers of defenses against hackers is optimal. Researching what is available to you in order to choose the best weapon or weapons to buff your arsenal against attack is a smart idea. Learning what each type of defense can do, and what are its limitations will help you choose the best possible defense strategy.  A system that has only one line of defense can be over run but can defend itself better than a system that has nothing.