Happy holidays! Your Web server just died! I use the word ‘try’ very deliberately in my title. The truth of the matter is that there isn’t a damn thing you can do that will stop a serious distributed denial of service (DDoS) attack. There are though some ways to try to deal with them.
Mind you, there is actually is a way that would put an end to most DDoS attacks. It requires that all Windows-based botnets be ripped out by the roots. Too bad, that’s not going to happen.
Windows is insecure by design and used by hundreds of millions and many of those users wouldn’t know an anti-virus program from Angry Birds. Millions of Windows computers, including maybe yours, are slave labor in one of the various botnets. Since we’re not going to be rid of Windows anytime soon and it’s not going to get any safer, the reality is that botnet-powered, brute-force DDoS attacks are only going to continue.
Actually, that’s not true. I think DDoS attacks are actually going more and more often. Here are some ways to mitigate them.
Some kinds of DDoS attacks are less common than they used to be. As Sean Donelan, program manager of network and infrastructure security at the Department of Homeland Security noted in an e-mail message on the North American Network Operators Group (NANOG), a group devoted to backbone and enterprise networking, mailing list, “SMURF attacks creating a DDoS from directed broadcast replies seems to have been mostly mitigated by changing defaults in major router OS’s. TCP SYN attacks creating a DDOS from leaving many half-open connections seems to have been mostly mitigated with SYN Cookies or similar OS changes.”
In short, if you update your gateway servers, switches, and firewalls to their most recent operating systems you should be protected from attacks that rely on TCP/IP and TCP/IP stack implementation weaknesses. You should have been doing this along. If you haven’t been, run, don’t walk, to your server room and update your systems.
Still, if someone really wants you to smack your Web site around, there’s not a lot you can do. As Jonas Frey, owner of Probe Networks, a Germany networking security company wrote on the same list there’s not much you can do about a DDoS attack except try to have a lot of bandwidth. “Even if you go for 802.3ba with 40/100 Gbps [Gigabits per second] you’ll need a lot of pipes.”
That’s because, Frey explained, “Nowadays the consumers have a lot more bandwidth and it’s easier than ever to setup your own botnet by infecting users with malware and alike. Even though end users usually have less than 2Mbps [Megabits per second] upstream the pure amount of infected users makes it worse than ever.” If you count on Windows users using proper security, but you can’t. As Frey pointed out, “There is just no patch for human stupidity.”
What this means is that you need all the bandwidth you can get for your Web servers. If your Web servers live at a Web hosting company, check in and see just much connectivity they have to major Internet backbones. If they reply on only one or two backbones providers and/or their pipes aren’t that big, I’d go looking for another one. When it comes to dealing with DDoS attacks, there’s no such thing as enough bandwidth.
