Imma Chargin Mah Lazer - How to protect against (D)DoS attacks

March 16, 2016 (at 2:30 p.m.) in Defense & Management

Distributed Denial of Service (DDoS) attacks have been transformed into a social activity by easy-to-use tools such as the Low Orbit Ion Cannon (LOIC). It usually starts on some social media platform (e.g. 4chan) with someone posting a target that should be taken down. All that the participants have to do is --- at an agreed upon time --- to open LOIC, input the URL, and press on "IMMA CHARGIN MAH LAZER" to launch the attack. Apart from such DDoS parties, organized criminals either sell DDoS attacks directly, often called 'stress tests' to not raise suspicion, or they provide the infrastructure to launch DDoS attacks in the form of botnets.

Corporations are popular targets of (D)DoS attacks for many reasons: blackmailing (DD4BC), politically motivated hacktivism (Anonymous, Lizard Squad, ...), competitive advantage, hate crime, script kiddies (because they can), or as a distraction for data exfiltration or other attacks. Whichever reason it may be, if such an attack succeeds and takes down an important web service, there are operational, reputational, and financial consequences. Therefore corporations have given the protection against such attacks quite some attention in the last years. A solid protection against (D)DoS attacks has to address various attack vectors. Vectors can usually be categorized as either volume-, protocol-, or application-based and protection methods may differ strongly between categories.

This talk focuses on the different (D)DoS attack vectors found in the wild (protocol-based reflection attacks, TCP SYN floods, Ping of Death, Slowloris, etc.) and on the strategies to protect against them (from a corporate perspective). Technical & operational solutions to address the three attack categories will be presented together with their advantages and disadvantages. Volume-based attacks, for example, have to be dealt with at a point of the network where there is enough bandwidth to handle them. Oftentimes a corporate network does not have the capacity to deal with volumetric DDoS attacks (e.g. ranging from ten to several hundred Gbps). Therefore solutions have to be implemented at an upstream network (ISP, cloud-based scrubbing center, etc.), where enough bandwidth is available. Protocol- and application-based attacks, however, can be dealt with on-premise, for example, by properly configuring web servers or also by deploying a dedicated anti-DoS appliance. Nevertheless, in the end a (D)DoS attack may come down to a battle between the attackers and the incident response team (with guaranteed management attention in the case of failure) --- And you want to be prepared for that, don't you?

Oliver Matula

Oliver is an IT security researcher and practitioner at ERNW and has extensive experience on the offensive side of IT security (e.g. by means of penetration tests and research) and the defensive side (e.g. by means of consulting in large corporate environments).