Skip to page contents

---

International (select)  Extranet |

---

---

Products    Training    Support    Downloads    Partners Contact | About us | Press & Media | Investor Relations

---

Press Releases | RSS Feeds | Events | Expert Insights | Newsroom | Brand Place | Contact Information | Use Terms |

---

• 2010
• 2009
• 2008
• 2007
• October
• July
• February
• January
• 2006

---

---

Monthly column

Denial of Service attacks hit the soft spot

By Klaus Majewski

What are DoS attacks?

Denial of service attacks come in two main forms: as an attempt to take the server itself down or to exhaust the bandwidth of the network leading to the server.

Most of the attacks trying to disrupt the target server exploit vulnerabilities either in the server operating system or on the application server. The attacker can also try to exhaust the server resources. He can open a large number of half open connections, hoping that the operating system of the target server will either crash or stop accepting any new connections. These kinds of attacks are called TCP floods.

Fortunately, Intrusion Prevention Systems (IPS) are fairly effective at stopping these attacks. A good IPS uses several different detection methods to find attacks and to stop them before they hit the target server.

Many organizations are spending a lot of money on Denial of Service (DoS) defenses, but they fail to notice one easy target, namely their Internet connection. In many cases, it is just too easy to exhaust the bandwidth that connects the target server to the Internet. A typical Internet connection speed of a medium-sized company is between 1.5 Mbps and 10 Mbps. It does not require a huge amount of traffic to fill that kind of an Internet pipe. To make things worse, this might be the only connection that the company has to the outside world. The company is using it to connect remote offices with VPN (Virtual Private Network) and their partners are using it to connect to the company’s production systems.

What happens when this Internet connection is filled with bogus traffic?
The business stops. It does not matter what kind of protection mechanisms the company has on their side of the Internet connection. No business traffic can get through it, because it is already full.

Why are companies’ Internet pipes so small?
Because bigger Internet lines are very expensive. Many people think you can get a 24 Mbps line cheaply, but that is not true. Home users usually pay a lot less for their lines because they do not have to have the same high speed in both directions as companies do. Home users usually need downstream speeds because they are downloading music, videos or other content. They do not normally send that much traffic upstream, or out to the Internet. Business web sites are sending a lot of content out to the Internet, so they need high upstream speed. Unfortunately upstream speed costs money. This is why many companies do not have very high-speed Internet connections. They try to buy as small an Internet pipe as possible to meet their traffic needs.

This is a weakness that the attackers use for their advantage. They will try to fill the company's thin Internet pipe with bogus traffic and thereby exhaust the bandwidth. As a result, the company's web site becomes unavailable for customers – which is exactly what the attacker wanted.

How are DoS attacks against your Internet connection created?

The attacker creates a distributed denial of service (DDoS) attack. This means he has infected several hundreds of machines with viruses. Viruses are small self-propagating programs that spread fast. They can also have payload, which means that they are carrying, for example, a DoS program and installing it to the infected computer.

A group of infected machines is called a botnet. DoS programs can be centrally managed and the attacker can instruct them to attack the same target host simultaneously. The target host will receive huge amounts of bogus web traffic from the botnet, consuming all the bandwidth of the target company’s Internet connection.

What can you do against DoS attacks?

The best solution would be to secure all home computers of the Internet so that viruses could not propagate, and, consequently, there would not be any botnets. Unfortunately, there are hundreds of thousands of home computers that do not have antivirus nor host firewall protection. This means that they are an easy source of botnets for attackers.

The problem is not going to disappear in the near future, so let’s take a look at other remedies.

Increase your Internet bandwidth

A fast solution is to increase the bandwidth of the Internet connection. High bandwidth Internet pipes come with a high price tag. If you do not want to spend too much money on one high speed Internet connection, you can buy a firewall solution that combines several low cost Internet connections to a larger “virtual” Internet connection. Of course, the attacker can use a bigger botnet to fill even that bigger Internet pipe. On the other hand, the bigger the attacker’s botnet gets, the easier it is to locate and stop it with the help of ISPs.

Separate your business traffic from public traffic

Companies can use different Internet connections for publicly available services (like web services) and business critical services (remote office connectivity, CRM or ERP system). Publicly available services are easy targets, because the attacker can find them by the domain name server (DNS).

If business critical services are using different Internet connections than public services, they are not affected even if public services are under DDoS attack. Modern high availability firewalls can easily utilize several Internet connections and thus protect business critical traffic against DDoS. It is also easy to add new Internet Service Providers (ISP) on the fly if more bandwidth is needed.

Know your local ISP

An efficient way to stop DDoS attacks is to talk to your local ISP. They can see where the attacks are originating (if the attack traffic is big enough) and redirect attack traffic away from the network. However, if the attacks are not originating from the ISP’s own network, but from outside, there are problems. In that case, two ISPs have to co-operate and jointly locate the origin of the attack.

Finding the attacker is even more difficult when the attacks are coming from different countries or countries where DDoS attacks are not considered criminal activity.

Conclusions

• Use high availability Internet connections (use more than one ISP).
• Use IPS to protect critical servers.
• Separate business traffic from traffic that goes to publicly available services.
• Stay in touch with your local ISPs and practise denial of service protection with them, so that once the attack occurs you are prepared to handle it.

---