Monday 4 February 2013

Some thoughts on Distributed Denial of Service (DDoS) attacks

I recently answered a question on StackOverflow on how web applications could be protected from a DDoS. This was a popular question, and (for me) a very popular answer, and a few other members added their thoughts.  I have expanded on my post, done more research, and rewritten large portions.

UPDATE: Spamhaus was subject to an enormous DDoS in March 2013 and they turned to Cloudflare, a professional CDN I mentioned in this posting. I discuss the attack in a follow-up posting here and a second here.

What is a Distributed Denial of Service?

DDoS is a family of attacks which overwhelm key systems in the datacenter, disabling your web site and the web applications you are running on it. DDoS attacks are very common and carried out for a number of reasons:

  • Political or ideological individuals, or groups as Anonymous
  • Criminal groups using them either to:
    • Extort money from business that don't know how or can't afford to protect themselves or
    • Are paid to damage business competitors reputation or ability to trade on the web

The first DDoS attacks were very simple, but they have evolved over the years taking advantage of any weakness in the network protocols, firewalls, operating systems and web servers. However, at the most basic level, a DDoS can be indistinguishable from just a lot of users accessing your services - almost like a digital Occupy.

DDoS can attack any one (or indeed several) of the many different components of the application stack including:
  • The hosting center's network connection to the internet
  • The hosting center's internal network and routers
  • Your firewall and load balancers
  • Your web servers, application servers and database.
DDoS is just one way hackers can attack your systems and services. When securing your systems, you should consider defense against DDoS as just one aspect of your overall security posture.

There's a lot of information below the break.