Computrad WAN Blog Painful truth about DDoS

Painful truth about DDoS

The painfully obvious truth about the Google incident is that the current infrastructure is not capable of dealing with DDOS attacks. It is not capable just because, from a device point of view, it looks simply like a request for web resources. The simplicity of the attack method, is at the core of why we cannot devise an effective defense solution. But, that never stopped us from trying. So, here we goes, we are going to try to find the solution to our national security problems.

First of all, there is an internet connection to your ISP that terminates in CSU/DSU. That link runs its native packets, be it a T1 or Frame Relay or even Ethernet, and it has an ip address. I believe this is the first problem. It is not necessary, other than a remore management purpose, to have a point to point link with a public ip address, reachable from the internet. DDOS can simply flood this address with ICMP ping packets and saturate the link. And none of your monitoring software will detect this condition. So, as a first point of defense, we must make this link invisible. We work with ISPs and we create a non visible point to point connections for all ISP connections. This is a simple and no cost solution.

Second is the router. The ISP connecting routers must enforce QoS and must work with ISPs to cut off any packets that your router determine suspecious. Imagine a three levels, known good packets, questionalbe, and drop packets. This is not an easy step. First of all, your router must posess some type of analytical ability to discern legetimate request from DDOS attacks. Mind you, this is not a traditional flow based access list. That approach would produce a milllion line ACL. For example, it has be able to create a whilte list and drop all other packets. In order to do this, your ISP router must contain a separate CPU that inspects packets, and updates your ISPs access list. It is very similar to IPS, but its sole purpose is to determine DDOS type of attacks. I believe this is not too hard. Cisco or other vendors can reprogram their IPS to be able to detect DDOS attacks. I’m sure they all do, but we need a dedicated DDOS units. Also, your ISPs must dedicate a “virtual router” for your company’s use, so that you may update the access list on the fly. This is doable using NX-OS’s Context.

So this step is a little challenge. But, most of technologies are available today. It takes a will.
Third, your firewall must regulate the amount of request coming in, and must throttle to avoid web servers from crashing. Firewalls must work harder to be a part of this defensive scheme. A simple access list is not enough. It must regulate the amount of traffics your reverse proxy can handle. It must deop packets before your proxy crashes.
This is a simple step if your firewall supports bandwidth adjustment. If your firewall does not, you can upgrade the firewall that does a simple Queue.

Fourth, all ISP’s must have a ‘common list’ of infected servers. This is not to be used as a source of a black list, but to help one check against the database for verification. This will greatly speed up the cut off process while your network is being flooded. This is a simple step. We just need someone to start a SPAM LIST like site. We just keep track of infected machines.

And lastly, all major and critical infrastructure must move to IPV6. This does not prevent the DDOS attacks, but it will help use by “security by obscurity”. Later, with IPV6, specially when PAT and NAT is not hiding addresses, we can quickly locate the infected zombies. And besides, they have to rewrite the virus to work with IPV6 and that will give us a small window to secure our infrastructure. This is the hardest part. It takes money, planning and coordination. But, it is a step that will pay the dividend when we all move to IPV6.

So, there, without spending a penny of our government money, I have single handily solved our national security problem. So, if Obama is listening, I am available for consultations, and my rates are very reasonable….

Written By:
Daniel Almond (Solutions Architect)

Related Tags

• DDoS
• Denial of Service
• Mitigation

10 Comments on Painful truth about DDoS

Feel free to leave a comment on any issue regarding the blog itself or 10 Most Common WAN Mistakes.

Name:
Comment:
Validation:	Please type the code to the left in the box to the right of it

 

tiffany co says: Friday 3rd September 2010 (7:39AM)

cheap tiffany jewelry | tiffany jewelry on sale | air max shoes air max 360 nike air max 97 Tiffany Earringss | tiffany heart earrings |

air max shoes says: Tuesday 31st August 2010 (5:36AM)

http://wwww.so-sports.com nike shox R4 Nike air max Air max shoes men air jordans Discount Air Max air jordans shoes cheap nike shox R4 discount air jordans air max shoes outlet air jordans shoes sale nike air max men shoes nike air max women shoes nike air max shoes sale

chanel handbags says: Tuesday 31st August 2010 (5:35AM)

http://www.handbagsonsales.com handbags guess handbags fashion handbags gucci handbags fashion handbags chanel handbags chanel bags sale handbags on sale Coach outlet stores cheap coach handbags chanel handbags sale cheap brand handbags women leather handbags discount brand handbags discount gucci handbags discount handbags online replica designer handbags

asics22 says: Tuesday 31st August 2010 (2:23AM)

As many people know, Asics running shoes have a high reputation in the world now. asics gel kinsei sale and women's asics become more and more popular. Onitsuka is well known by his best quality of the asics onitsuka tiger mexico 66. However, not only the asics mexico 66

ugg boots sale says: Friday 27th August 2010 (6:25AM)

fashion ugg pink,ugg boots sale,ugg 5815,ugg 5825 "is getting "green". ugg boots sale ugg classic tall,ugg slippers, ugg boots tall,uggs on sale,

Citrix Fast Launch Utility Released Using this recently released utility, expedites the application launch experience for end users using Citrix XenApp

Greenford High School picks a winner with Palo Alto Networks

XenServer snapshot backups Utlising the new snapshot technology in XenServer

Applipedia is now available on the iPhone! Palo Alto Networks brings it to the iPhone world!

About DDOS TCP-SYN attacks and how to create a TCP-SYN attack Good article about TCP-Syn attacks and how to simualte one

Cisco Guard DDoS alternatives Considering the options

Reflective DDoS A new type of DDoS attack guaranteed to cause CARNAGE!

Painful truth about DDoS

Archives

• April 2009
• August 2009
• February 2009
• January 2010
• July 2009
• June 2009
• March 2009
• March 2010
• May 2009
• May 2010
• September 2009

Categories

• General
• Techniques
• News
• Technology

Authors

• Daniel Almond (Solutions Architect)
• Johan Carstens (Application Delivery Guru)
• Sunny Gill (WAN Optimisation and Security Consultant)

Contact

Tel: +44 (0)208 997 9888
Email: sales@computrad.co.uk

Bookmark & Share

GSA Schedule