Distributed Denial of Service (DDoS) attacks have been in the news recently with one particular prominent incident garnering national attention in the past week. Whilst the jury is still out on the nature and cause of that alleged attack it should be remembered that DDoS attacks have been occurring for many years. In fact, you could say that students calling the White House on masse in the 60’s, to protest against President Johnson’s involvement in the Vietnam war was an attempt to flood the switchboard of the White House and prevent telephone communications, was an early DDoS attack.
Yet we now live in a connected era where there are billions of devices connected to the internet and these can be commandeered to participate in a DoS attack. Attacks can be coordinated by foreign countries against another countries’ infrastructure, by organised criminal groups or even by a kid down the road in his bedroom on his laptop. Of course the sophistication of these attacks vary widely and state sponsored attacks are generally well funded and executed by highly skilled teams of individuals.
So are we ever going to see an end to these types of attacks? Most probably not. Instead, expect to see more and more of these attacks as they mutate and find new ways to flood foreign networks. Major events held online are going to be obvious targets for DDoS attacks because of the kudos the attackers can claim within their communities. However, you should assume any site or service connected to the net could be a target.
It is very hard to defend against these attacks because of the many different ways in which hackers may strike. Distinguishing between legitimate and malicious traffic is a complex task. Setting up filtering by hand is often impossible due to the large number of hosts involved in the attack.
Each organisation has multiple front-end points connected to the internet including email, web and name servers. But there’s also a range of back-end servers that are also at risk such as databases simply through hitting the front end functions that then impose a high load on the back-end sources. So our first problem area is to identify each of the potential attack points in our organisation. Secondly attackers may use new methods or modify existing attacks to circumvent established defence mechanisms. Static defences do not work if a yet-unknown attack is used. Instead our systems need to adapt to new types of attack.
Also keep in mind that there still is a proportion of bona fide service requests to use the service. This makes it harder to inspect the traffic and to work out a classification scheme for traffic filtering.