DDoS Attack and Resiliency Measures
Recently DDoS has come into the news because of recent attack (by IoT devices) on Twitter. Although DDoS is not a new kind of attack, because of the advent of IoT, the "smart" devices are new victims for web-based attacks, and as per the predictions it is more likely to grow. What makes this situation even more perilous is the rapid growth of IoT devices out there on the market. As per the estimate, there would be around 50 billion connected devices by the year 2020.
Enough talk, let's talk about the solution now. The DDoS attacks cannot be mitigated completely but by taking some measures the effect can be minimized. This is the theme of this post. Let’s first understand...
What Is DDoS?
DDoS stands for Distributed Denial of Services. It is a type of denial of service attack where multiple compromised systems are used to target a single system.
Types of DDoS:
Flood, Reflection Attack: An attacker that uses either collaborator or compromised systems and uses all these systems to initiate a flood of attacks against a particular server or application.
Amplification Attack: The attacker is going to use one of the spoofed IP. They are going to spoof their IP so that they are using someone else's IP, and they are using it to send a very small byte say 64 bytes, and then, as a result, the amplification, the response to the target server is going to be anywhere between 25-50 times more.
Flood, Reflection and Amplification attack combined: It's a combination of above two attacks.
Resiliency Measures:
Following are the remedy to mitigate these attacks.
Minimize the attack surface:
- Reduce the number of necessary internet entry points. So if you have got a lot of them, you want to evaluate what you have in DMZ and minimize those to absolute minimum.
- Eliminate non-critical internet entry points. If there are services that are out there that don't need to be out there, that can be put into the private network.
- Separate end user traffic from management traffic. Obfuscate necessary internet entry points to the level that untrusted end users cannot access them. One of the best way to do this is by using a "Jump server". Make sure you list down IP addresses that are going to be connected to that jump server, everything else has to be blacklisted.
- Decouple internet entry points to minimize the effects of attacks. So basically don't put everything on server. You should have multiple server which are also locked down in a private subnet of your VPC.
Scale to Absorb the Attack:
- Design your infrastructure to scale out and up. It gives you resiliency and redundancy throughout the environment. It can be easily achieved through auto-scaling features (if you are in cloud). So the idea is, if you are scaling up, the attacker is also needs to scale up the infrastructure and they may not have that at their disposable. Also, scaling buys you time to analyze the attack and respond.
- Attack is spread over a large area, which can be achieved using something like a CloudFront (AWS). It has hundreds of Edge sites all over the world. So the attack would have to have more infrastructure / capability.
- Protect exposed resources: You can protect your resources via different ways, say using Geo-Restriction and OAI (Origin Access Identity) which can be achieved via service like CloudFront where all the request is going to have filtered via this service instead of actually hitting the resources directly.
- It can also be used through Alias Record Sets by using AWS Route53. If you are pointing to a load balancer and if you identify an attack, you can very quickly point it to another load balancer.
- Use Private DNS names instead of using publicly facing or addressable DNS names.
WAF (Web Application Firewall): It’s a layer 7 (application) firewall. It’s going to monitor the traffic that’s going in and out and it's looking for things like SQL injection, all the things that happens over the application level.
This is in addition to network level IDS / IPS appliances that you put in your environment. IDS is Intrusion Detection System which basically monitors every inbound and outbound traffic on which IPS works. IPS is Intrusion Prevention System which detect and prevents the attacks.
Finally, create a plan for attacks. So it's not just enough to just mitigate these attacks by addressing them. You have to be prepared by validating the architecture and select the techniques that works for your infrastructure and application. Apart from above infrastructure level measures it is recommended that you follow software threat modeling techniques like,
Last but not the least, you need to have a governance model there to know whom to contact when an attack happens and respective contingency measures.
(This article originally posted by me on Dzone)