DDoS Mitigation Techniques

Security incident response is an important portion of information technology and security planning today.  Security threats are no longer simple.  Increasing complexity and diversity allow security threats to invoke both damage but also disruption, creating financial loss to many profit and not-for-profit organizations.  One of those disruptive security threats is DoS (Denial of Service).
Within this article, we hope to identify and categorize many mitigation techniques used to protect organizations against DoS.  The importance of selecting the proper mitigation for each environment could be the difference in revenue, reputation or both.  This article will present various mitigation techniques meant to help organizations consider options but more importantly will contain a generic checklist for developing a high-level incident response plan.
Keywords - DDoS; DoS, mitigation
I. INTRODUCTION
Denial of Service (DoS) attacks represent an increasing problem for businesses, not for profit organizations and government agencies.  Prior to 2012, according to the Verizon Report, DoS attacks were primarily carried out utilizing "home" type systems.  With the rise in data centers, cloud computing and subsequently more powerful systems with access to higher bandwidth, there has been a shift in DoS intensity according to the Verizon Report .
Potent DoS attacks automatically create challenges for businesses.  The DoS mitigation techniques previously utilized may not be sufficient for this new wave of technology disruption. The risk associated with this threat is one of efficiency.  In general, information security professionals need to adapt to the threat evolution, and this is especially true when it comes to protecting the infrastructure against DoS.
The primary DoS attack methodology can include but is not limited to TCP SYN flooding; UDP flooding; host based denial of service sometimes referred to DDoS (Distributed Denial of Service), usually targeting port 80 (http) but sometimes also 443 (https), and also targeted ports from 0 to 66535 depending on the application, service or vulnerability being targeted.
Therefore, this paper will review various published and peer reviewed articles, categorize various DoS mitigation techniques into hardware, software, service or "other" in an attempt to assist our security colleagues with selecting the appropriate technique for their organization.  The capstone of this paper will be a practical DoS incident response document to help lay the foundation for various tasks to consider prior and during a DoS attack so that availability remains constant for the organization.
II. MITIGATION CATEGORIES
At a high level, there are three types of mitigation categories to protect organizations against DDoS or DoS attacks, including Mitigation-as-a-service, Hardware based protection and software based models to help filter traffic. It is possible to utilize combinations of these techniques, (many organizations deploy a multi-tiered approach) however, these represent the high level categories of mitigation techniques by category.
A. Mitigation as a Service
The principal categories of DDoS are volume based attacks (saturating bandwidth by flooding it with huge quantity of data), protocol attacks (saturating server resources by exploiting network protocol flaws), and application layer attacks (targeting HTTP to exhaust the resource limits of web services). Therefore, any protection mechanism must be prepared.
DaaS is one example of mitigation-as-a-service, which protects against OSI layers three and seven (network/application) and represents an economic solution. It addresses the importance of scaling adequate resources to overpower network layer DoS by including an infrastructure to initiate unused resources from several of existing or future system/service to create a pay-as-you-use defense. It uses sPoW, a uniquely configured scheme, to enable legitimate requests to compete and reduce application-layer DDoS that cannot be distinguished. sPoW’s novel verifier-less property frees servers from performing traffic verification, and ephemeral i-channel obscurity restricts traffic traversing intermediaries to determined puzzle-solving legit clients, which reduces DDoS traffic. Both combine to protect metered resources employed at intermediaries and servers against eDDoS that conventional PoW schemes to date have no answer to and, therefore, remain un-deployable .
One of the primary advantages to utilizing DDoS protection as a service is the ability to scale resources. Most companies determine their level of equipment needs based upon the business model. Some medium to large scale companies are starting to integrate equipment topology to protect against larger scaled attacks, but from a business point of view, threat analysis keeps most companies from buying large pools of resources, whether it be hardware, software, or additional trunks.
The likelihood of a large-scale DDoS attack against a small to medium scaled school system, for example, would be far less than an organization like Sony Corporation, especially given the historical issues it has faced. Therefore, businesses and other organizations need to maintain scalable solutions to increase as the needs occur without buying additional equipment. Cloud based solutions offer scalable protection against spam, phishing and DoS, which every organization should consider as part of an internal Information Security Plan.
Traditional DDoS protection methodology relied on oversizing the bandwidth and adopting complex hardware like firewalls and load balancers, but many companies are now choosing cloud-based DDoS protection and management of DNS services because they offer scalable solutions, increasing protection as needed. The cloud-based DDoS approach is based on the idea that malicious traffic is redirected to an architecture that avoids the affected website. When attacks are identified, traffic is redirected to a scrubbing center and then to the customer’s network , offering immediate relief to the actual business resources.
There are a number of features to consider when acquiring a new product (even for DDoS), such as the capacity of the solution in terms of supported protocols, traffic profiling, product flexibility and scalability, availability of built-in hardware redundancy features, reliability, alerting systems, bidirectional traffic monitoring, and product reputation.
B. Mitigation as Hardware
Another protection mechanism against DDoS attacks is one based upon hardware. At a very basic level this could consist of a router working to redirect traffic at the network layer of OSI model, however, the firewall would serve as the primary protection device .
Depending on the type of denial of service attack, this may be sufficient for smaller organizations, but in no way would this suffice for a company with higher threat likelihood. However, a combination of hardware, software and even cloud-based solutions working together to form a multi-tiered approach would be effective. In no way is hardware a stand-alone, all sufficient resource for mitigating anything outside a mild DoS attack.
Its important for the organizations to understand the services or hardware being attacked or identified as an asset risk when developing a hardware solution. For example, SMTP attacks designed to flood the mail server with illegitimate email communications would then review the topology for their email clients. Ideally, these devices are located behind a DMZ and potentially even on their own trunk should the company also have a large online retail presence.
C. Mitigation as Software
Software Denial of Service protection techniques typically relies on rules for network traffic.  This software usually resides on network hardware, like a firewall or a router. Prevention Techniques listed are: Ingress Filtering, Egress Filtering, Route Based Distributed Packet Filtering, History Based IP Filtering, and Secure Overlay Service. Mitigation and Tolerance Techniques listed are: PushBack, Throttling, Resource Pricing, Integrated Intserv, and Class Based Queing .
One popular methodology within the Software realm is the Network Egress and Ingress filtering (NEIF). Although this is handled on the hardware, oftentimes this protection is implemented at the ISP level to prevent DDoS attacks from being launched within their specified "network" and protects organizations from outside attacks. Egress filtering usually occurs on the edge of the network configuration within the firewall or router . This method is highly effective for certain types of traffic, and is recommended as an add-on tool to be combined with other protection methods described herein.
Given that DDoS can be mitigated as long as packets have identifiable features, it is incredibly challenging if attackers do not violate protocols and generate TCP flows which are not distinguishable from normal, except when at high numbers. Statistics of flow features can compute a Conditional Legitimate Probability (CLP) of packets from a source to be legal traffic, and a CLP threshold can define source acceptance and denial. The authors suggest this traffic shaping as an alternative to standard binary filter rules to block malicious traffic, leading to a better use of CLP information. Sources with high CLP get more priority and bandwidth than sources likely part of an attacking bot net, leading to less collateral damage .
In the POC, a Linux kernel module nf-HiShape was used to shape source IP addresses at different bandwidth limits, even high packet rates. The shaping algorithm is comparable to Random Early Detection (RED) on every source IP range. Evaluation shows that the kernel module can manage up to 50,000 IP ranges at nearly constant throughput, whereas Linux tc decreases throughput at about 200 ranges.
The last software mitigation technique discussed is DPRIMED, a community-of-interest-based DDoS approach. PRIMED is a proactive approach to DDoS mitigation in which users can specify their ISP a priori their (dis)interest in receiving network from particular network entities. The Community-of-Interest (COI) captures the collective past behavior of remote network entities and uses them to predict future behavior. ISPs construct a network-wide "bad COI" containing entities exhibiting unwanted behavior in the past, as well as "good COIs" containing entities engaged in legitimate communication with the customer. Simulation results show the approach improves protection 91-93%.
ISP-wide threat analyzers determine relative security threats to create the Bad COI. A customer-utility calculator determines with which parts of the Internet the customer of the ISP is likely to have legitimate communication and produces Good COIs. The security policy would determine to what extent to limit based on COI membership. This last piece is important as the limits imposed by one customer should not impact the limits from another .
D. Mitigation Categories- Closing Comments
DDoS attacks are increasing and the rapid scale and trajectory of DDoS has led to the proliferation and increase in the number of organizations affected. The most common sources of DDoS are Kazakhstan, Belarus, Peru, and the UAE and attacks have been incredibly successful because as soon as mitigation would begin, the signature would change when they realized the attack was being successfully blocked.
The majority of victims have been online shopping sites, gaming sites, stock exchanges, and banks. Motivation ranges from extortion, stock market manipulation, competitive advantage and even something as simple as GPA within a university setting.
Most DoS attacks are either layer 3 network floods, or layer 7 application attacks exploiting app limitation (such as web servers). Hacktivism has driven DDoS into the mainstream, along with hacktivist tools such as Low Orbit Ion Cannon (LOIC), but realistically, the majority of targets are the focus of cyber-criminals focusing on banks, stocks, and state actors, for example.
Additionally, many firms are turning to specialist services, such as Tata Communications and Verisign (which leverages a DNS swing and scrubbing centers), or Prolexic which uses DNS and BGP to attack traffic to the cloud and operates upstream of the ISP. They tend to filter out the spoofed IP addresses, as well as leverage an IP reputation service to prevent DDoS from occurring in advance.
The cloud can also mitigate DDoS by scrubbing Gbps of data with the reduced cost of not having CPE and acquiring bandwidth and SMEs, unfortunately it can also be leveraged as a force multiplier .
There is no 100% way to protect against a DDoS attack therefore understanding the current business model for your organization and implementing a multi-tiered approach will be of value. However, nothing replaces well-configured firewalls and IPS devices. By the time it gets to this stage, it is usually too late, so pushing solutions upstream (i.e. to ISPs) tend to work better. ISPs can leverage core routers so attacks cannot get beyond the routers without getting dropped.
III. PRE-MITIGATION STRATEGY CONSIDERATIONS
The following section outlines pre-attack preparations for an organization for both technical and non-technical roles.
A. Technology Department Role and Responsibility
It is vital to document the organization’s IT infrastructure in detail. This information should be protected (encrypted) and readily accessible from internal and external points of entry. Information includes:
* Stakeholders and owners
* IP addresses and circuit IDs
* An accurate network topology and an asset inventory
Communication with the Internet Service Provider is very critical to understand the DDoS mitigation services offered (including their capability to scrub anomalous and malicious traffic) and the process that should be followed should an attack occur.
Next, attention should be turned to points of entry. Ensure the organization reduces the attack scope by avoiding single entry ISP solutions. This includes avoiding hosting multiple public Internet-accessible services and resources (e.g. DNS, HTTP and HTTPS (web services), remote-access VPN, and e-mail) on the same Internet point of entry.
Hosting multiple services and resources on the same Internet point of presence allows DDoS traffic to potentially impact all the Internet-accessible services and resources. Separation of these services this will position the response team for accuracy, efficiency and effectiveness.
It is also important to ensure all internal services and resources used by internal corporate users and applications are maintained separately so they are not impacted if an internet-accessible service or resource is affected by a DDoS attack. Examples include:
• Internal email servers that would not be impacted by publicly facing SMTP transport services allowing employees to communicate internally regardless of outside SMTP impact.
• VOIP services should also be reviewed and risk assessed.
• VPN entry if the security team is remote and needs access to updated documents and systems.
If applicable, know how to setup teleconference bridges for use during an incident. This is not necessary for every company but worthy to mention here should VOIP (voice over IP) services be utilized.
If it has not already done, it will be important to baseline the performance of the network internally. This will allow the incident response team to quickly identify the attack accurately and with greater response time. The data center, ISP or cloud service provide may be able to assist with this prior to an attack.
Also, identify mission critical services that must be functional during a potential attack, and assign a priority rating to each. In addition, make sure the services and assets are properly identified during this stage to tag what, if any, hardware can be powered down or even blocked in order to limit the impact. This ties closely into the documentation stage as well, so it is important to keep this information and infrastructure details in close proximity.
Depending on the size of the organization, it is encouraged that an approved list be created that would include:
• Source IPs and protocols that should be considered "green".
• Important customers, critical business partners and remote offices.
This is very important if the DDoS attack is extreme and it is necessary to lock down the circuit quickly, then widen the "gateway" as protection and filtering are scaled in response.
Of course, a warm or hot disaster recovery for a company may be appropriate depending on its size of the organization and the upper management support for this expensive mitigation option. This is a "hard sell" if management does not already support the concept, but worth consideration.
If online services are offered, it is recommend that a secondary system location for handling orders be available to keep the business running should an attack continue longer than expected.
In regards to the environment, be sure to tighten the:
• Configuration of network and application components that may be targeted. This is part of the "basics" but critical.
• Operating Systems (OS) - are they hardened?
• Domain Name Service time-to-live (TTL) settings for exposed systems. This would be part of a DDoS mitigation strategy, but if necessary, lower the TTLs, to allow for DNS packet redirection if the IPs are attacked.
In addition to internal resources, if a company hosts online shopping, and publicly facing websites, Web Load Balancers will be important at the data center (hosting provider level).
B. Non Technology Role and Responsibility
A number of mitigation and detection methods could be deployed amongst non-technology roles as well, including:
• If anyone within the company notices something suspicious they should immediately report it to the IT department. (i.e. I cannot bring up the website ordering system.)
• Employers should offer training for their employees to show what flags to lookout for, such as phishing emails, suspicious phone calls, and how to disposition paper work properly.
By training the employees to look out for signs of hacking, they will know what to report and how to defend the organization.
• Employees are sometimes the best "first defense" because they typically call about anything "not normal." Pay attention to these calls and emails and categorize anything that may indicate a serious threat, including DDoS.
• Establish a contact database for the company ISP provider and local law enforcement. This list should include managed service providers and internal network teams. In addition, identify which personnel should be contacted in the event of a DDoS attack and what incident response steps should then follow. Also, what information will be necessary and what action steps should take place with each of the critical entities within your organization.
• Make sure pre-defined stakeholders are included, proper chain of command is followed, and everyone understands their role in advance. This may seem like a "given" for many organizations but its important to obtain senior management approval of this step in particular to ensure everyone who needs to know has been informed in a timely manner.
• Depending on the company, you may need to develop some form of internal and external communication plan. As mentioned, the impact to any attack could occur through the deterioration of reputation or lost revenue. Plan for how communications would be handles should such attack occur and systems are inaccessible. This would be more appropriate for Public entities, and online retailers where immediate communication with interested parties is expected.
IV. ATTACK MITIGATION CONSIDERATIONS
During a DoS or DDoS Attack there are a few high-level Mitigation and Response considerations for organizations:
• When an attack occurs, it is important to work with Network Layer appliances to dial back, or even prevent, DDoS traffic as close to the network's inbound connection through the use of a firewall, router or load balancer.
• Disconnect unwanted connections on servers or routers. You may need to also terminate unwanted services.
• If possible, implement an incident response plan that may include switching services to an alternate site.
• Black hole DDoS traffic - send this traffic to non-relevant IP’s.
• If possible, scale network servers or even increase the bandwidth to accommodate any increased DoS attack load. If using cloud based services throttle the resources as necessary to respond.
• Route traffic to traffic-scrubbing service (if subscribed).
• If adjusting company internal IPS or IDS, be sure to only make one change and evaluate before proceeding to the next. It’s important to monitor impact and changes of improvement.
 
< Prev   Next >