How to try to stop DDoS Attacks

How to try to stop DDoS Attacks

Summary: You can't stop them, but you can try to lessen their damage. Here's how.

TOPICS: Security, Servers

Happy holidays! Your Web server just died! I use the word 'try' very deliberately in my title. The truth of the matter is that there isn't a damn thing you can do that will stop a serious distributed denial of service (DDoS) attack. There are though some ways to try to deal with them.

Mind you, there is actually is a way that would put an end to most DDoS attacks. It requires that all Windows-based botnets be ripped out by the roots. Too bad, that's not going to happen.

Windows is insecure by design and used by hundreds of millions and many of those users wouldn't know an anti-virus program from Angry Birds. Millions of Windows computers, including maybe yours, are slave labor in one of the various botnets. Since we're not going to be rid of Windows anytime soon and it's not going to get any safer, the reality is that botnet-powered, brute-force DDoS attacks are only going to continue.

Actually, that's not true. I think DDoS attacks are actually going more and more often. Here are some ways to mitigate them.

Some kinds of DDoS attacks are less common than they used to be. As Sean Donelan, program manager of network and infrastructure security at the Department of Homeland Security noted in an e-mail message on the North American Network Operators Group (NANOG), a group devoted to backbone and enterprise networking, mailing list, "SMURF attacks creating a DDoS from directed broadcast replies seems to have been mostly mitigated by changing defaults in major router OS's. TCP SYN attacks creating a DDOS from leaving many half-open connections seems to have been mostly mitigated with SYN Cookies or similar OS changes."

In short, if you update your gateway servers, switches, and firewalls to their most recent operating systems you should be protected from attacks that rely on TCP/IP and TCP/IP stack implementation weaknesses. You should have been doing this along. If you haven't been, run, don't walk, to your server room and update your systems.

Still, if someone really wants you to smack your Web site around, there's not a lot you can do. As Jonas Frey, owner of Probe Networks, a Germany networking security company wrote on the same list there's not much you can do about a DDoS attack except try to have a lot of bandwidth. "Even if you go for 802.3ba with 40/100 Gbps [Gigabits per second] you'll need a lot of pipes."

That's because, Frey explained, "Nowadays the consumers have a lot more bandwidth and it's easier than ever to setup your own botnet by infecting users with malware and alike. Even though end users usually have less than 2Mbps [Megabits per second] upstream the pure amount of infected users makes it worse than ever." If you count on Windows users using proper security, but you can't. As Frey pointed out, "There is just no patch for human stupidity."

What this means is that you need all the bandwidth you can get for your Web servers. If your Web servers live at a Web hosting company, check in and see just much connectivity they have to major Internet backbones. If they reply on only one or two backbones providers and/or their pipes aren't that big, I'd go looking for another one. When it comes to dealing with DDoS attacks, there's no such thing as enough bandwidth.

Page 2: [Anycast and Load Sharing] »

Anycast and Load Sharing

If your company has Web sites co-hosted at several locations one thing you can do that will help is to use anycast and Multi-cast Source Discovery Protocol (MSDP).

Anycast is a networking technique where the same IP prefix is advertised from multiple Internet locations. What that means in English is that multiple servers for a single domain share the same IP address.

Here's what happens when a DDoS attack comes along on a properly set-up anycast Web site. A Web page request comes in, and the network switch checks to see if the closest, in terms of network distance, server is alive and well. If it's not, due to a DDoS attack, anycast will automatically send the Web request along to the next, hopefully, healthy server. So, if you have servers at say New York, San Francisco, and London, and an attack is coming from a U.S. East coast-based botnet, the load from the attack is automatically shared with the other sites.

Anycast, or any other distributed load-sharing technology, doesn't provide perfect protection. A big enough DDoS assault will topple all your anycast, or any other distributed network servers, like a row of dominoes. That's not good.

There are companies like Arbor Networks, BlockDOS, and ServerOrigin that offer DDoS protection services, but none of them are offering perfect defenses.

What many DDoS protection companies, like BlockDOS and ServerOrigin, are just doing is they're just offering distributed server hosting with anycast or other techniques to provide failover server protection. If you don't have expert network administrators or a Web hosting company with multiple hosting farms, that may be exactly what you need. Arbor offers real-time, network analysis servers so you can see DDoS storms coming and then take defensive measures with their help.

No, for now, at least, we're stuck with trying to make the best we can of a bad Internet situation. As Arbor Networks' solutions architect, Roland Dobbins wrote on the NANOG mailing list,"DDoS is just a symptom. The problem is botnets." And, that problem isn't going away anytime soon.

Topics: Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: How to try to stop DDoS Attacks

    This would be a great article if you omitted paragraphs 2 and 3 because they are not true. Botnets are not a Microsoft Windows only network.
    Loverock Davidson
    • Perhaps...

      They're not quite 100% more like 99.999%
    • And back in the real world... Nt

      Richard Flude
    • I stopped reading after this

      @Loverock Davidson <br>From his "Windows is insecure by design" link:<br><i>First, desktop Windows stands firmly on a foundation as a stand-alone PC operating system. It was never, ever meant to work in a networked world. So, security holes that existed back in the day of Windows for Workgroups, 1991, are still with us today in 2009 and Windows 7.</i><br><br>Sure, if you will admit that OS X stands firmly on a foundation as a stand-alone PC operating system because all Mac OSs before OS X were not multi-user.<br><br>Okay, I did continue reading but I stopped after this:<br><i>Besides that, Windows, again harking back to its single-user, stand-alone ancestry all too often defaults to requiring the user to run as the all-powerful PC administrator. </i><br><br>It is unbelievable to me that not only would anyone expose their ignorance like this but that Steven J. Vaughan-Nichols would give it any publicity, thus soiling his name too. The Windows code that eventually turned into Windows 7 today was multi-user since day one, 17 years ago.<br><br>Steven J. Vaughan-Nichols, please update your blog apologizing for your promotion of an article that spouts blatant lies. If not, I will have to assume that you are a willing participant in the spread of these lies which would make you a liar.

      PS It also means that your article itself is also probably wrong and full of misinformation. You really messed up on [b]extremely[/b] basic information so I have absolutely no faith that you could ever advise anyone on how to stop a DDoS attack. You really don't seem smart enough to handle it.
      • Link Is More Accurate than You Say

        @NonZealot <br>It's true that Windows now is based upon an underlying foundation that is much more secure than the DOS based Windows versions of the past (ME, 98, 95, 3.1). Those operating systems really had no security whatsoever. (Amazingly, though, you can still manage to avoid most problems even with them by using a hardware firewall and judicious web surfing, but I digress.)<br><br>However, if you actually read the article in the link, you can realize that the author isn't talking about the underlying foundation of the code, like the kernel and the permissions system. He is talking about the API and the user environment.<br><br>The application compatibility of current versions of Windows with old, non-secure versions of Windows is the weight that drags Windows security down a bit (not as much as it used to, but still some). Legacy Windows operating systems will be a problem for Windows as long as there is a demand for legacy compatibility. It's difficult for Microsoft to throw this weight off without breaking compatibility with legacy software, and really muzzling their greatest advantage in maintaining their market share percentage.<br><br>Also, Microsoft is loath to say something along the lines of, "We really have to do away with OLE because it's insecure," because their customers are hearing, "We have to do away with this great, convenient feature, and we don't care how much you like it."<br><br>Of course, this is more proof that there is always somewhat of a compromise between security and convenience. In general, Microsoft has favored convenience over security, and it's worked out pretty well for them much of the time.
      • Could not reply to CFWhitman so I'll reply to you

        @CFWhitman. I agree with NonZealot The API insecurity only applies if you can authenticate with the machine. IOW you have to break into the machine in the first place.
        Mac OSX has proven time and time again to be easy to break into.
  • The largest botnet in the world...the envelope please...

    ...drum roll....the tension is incredible...
    Microsoft Update.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: How to try to stop DDoS Attacks

      @Dietrich T. Schmitz, Your Linux Advocate
      LOL - Wow you need to get out of the basement. Must be cold in the northeast
    • RE: How to try to stop DDoS Attacks

      @Dietrich T. Schmitz, Your Linux Advocate

      In an attempt to reduce the need for the `largest botnet in the world`, I plan to hand out Linux Live CD's to my poor suffering WindoZE friends.

      "Friends never let friends get infected by using WindoZE".
      • RE: How to try to stop DDoS Attacks


        Tjhen they'll suffer even more because none of the harware will work and they'll be reduced to a CLI box, subsequently they'll throw your disks back at you and you'll get a bunch of cuts.
      • RE: How to try to stop DDoS Attacks

        And they will have to go back to XP interface and mediocre albeit free software. And yes I have a Kubuntu 10.10's OK but always seems 2nd class as far as software goes. Development IDE is lacking something fierce, I feel like I'm back in 1990's...brrr.
      • RE: How to try to stop DDoS Attacks


        LOL....I tried out Ubuntu recently after hearing all the buzz about it over the past couple of years. Loaded it on a VMWare session. Doesn't look like much has changed since Redhat Linux, so I'm not very impressed with it. It's great as a workstation platform for those who like to tinker and it's great for a server platform for some applications, but just like Solaris, it is no threat to Windows and not very appealing in the business enviornment.

        That makes three flavors of Linux that I have played around with: Redhat Linux, SuSe Linux and Ubuntu. None of them really wows me. The best Linux based OS to date is still Mac OS/X.....but I will stick with the Windows platform for business use.

        You get what you pay for.
    • RE: How to try to stop DDoS Attacks

      @Dietrich T. Schmitz, Your Linux Advocate

      Gotta be one Linux dweeb in the bunch... How's your pocket protector?
      • wow this is rediculous


        Jesus this is just like Star Wars vs. Star Trek with you people! Is it realyl impossible to like more than one OS? News Flash people, ALL OS's HAVE ISSUES! The only reason Windows gets flak is because its on top of the market right now. As for Linux? What the hell is wrong with an OS that lets you do anything with it? If you don't like it don't use it! And Apple, Ok I understand that The company can be money grubbing @$$holes, but so can any other big company. The OS still works well and does what the people who use it need it to do. Seriously people, if you're going to make comments, make them relevant to the topic and not turn them into an OS war.
        • lol

          Yeah, quote "Whats wrong with an OS that lets you do anything.." Linux is one of those OS you spend time making your desktop shiny but when it comes to REAL tasks such as Video Editing, Professional Audio Recording, Playing a game it fails to do any. Oh and the open source "alternatives" to sony vegas and FL studio are complete utter crap, having to run WINE and configure it just to play a game which will be laggy and have shitty gfx on linux sucks... so in essense NO that OS can't do 'Anything' those are lies and we all know it.
          Yo Andy Roman
          • Might have a point there

            Yes I agree the fault is the software developers to lazy to produce versions for other systems. Linux is the system that will be with us always. The software guys can't compete with the free wares I guess. Their ware is not good enough to pay for?
    • MS Update

      @Dietrich T. Schmitz, Your Linux Advocate

      BotNet is a network of PCs with a command and control center.

      Microsoft Update is just that.
      They don't install viruses, trojans, spew spam.
      It just happens to be the largest botnet. Get it? Goooood.
      Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: How to try to stop DDoS Attacks

        @Dietrich T. Schmitz, Your Linux Advocate

        No, we don't get it, because a botnet is something that is used WITHOUT YOUR KNOWLEDGE to do something BAD on your computer.
  • RE: How to try to stop DDoS Attacks

    Well, if various OS's and routers simply prevented massive IP sends from the OS and from the router this would limit even botnots. If my PC is sending 100 request to www.???.com every second, hum, my PC is likely rogue.
    • RE: How to try to stop DDoS Attacks

      Why does my PC need the ability to be able to send 1000 emails/second?
      A simple constrictor program/OS setting would require "botnet overlords" to have to infect several orders of magnitude more PCs, to get the same "ROI".
      As a result they would be more noticeable.