By Jay Malin, Managing Director
A distributed denial of service attack (DDoS) may be the result of multiple devices maliciously coordinated to target a single system so that good requests for service go unfulfilled. The attack is oftentimes distributed by a single source to many unwitting participants whose devices, such as a mobile phone, generate enough traffic causing an unprotected target system to become overwhelmed by the flood of requests.
A client recently initiated a DDoS test attack on a critical piece of application infrastructure. Without securing the perimeter, the attack resulted in severe delays in serving customers and temporary service interruptions. While core applications may detect patterns that assist in securing the border, network firewalls and a communications session border controller (SBC) equipped with intrusion detection systems (IDS) identifies malicious traffic and/or throttle requests to avoid destruction and/or allow the system to serve certain requests.
What constitutes bad vs. good traffic? In Internet systems, it may be similar or known, bad or good IP sources, and the type of request. A flood of synchronization (SYN) requests ties up port capacity without closing the connection, thereby mitigating the available capacity to serve requests. These attack signatures can be detected by IDS on the most popular network firewalls. In the Internet communications space, the SBC performs session-based IDS by examining patterns and enforcing maximum throughput and capacity limitations. Moreover, within a session, the messaging traffic itself may be the source of the attack and can only be detected at the packet level at the firewall, or within the application itself. Unfortunately, by the time the application identifies the attack it may be too late – as such, it is critical that the attack pattern be quickly identified and thwarted by invoking perimeter detection. Another way to mitigate the impact of an attack is by requiring an additional layer of authentication within the session – namely asking the requestor to authenticate, such as “Please confirm you require services,” for which a unique response would permit the request to proceed.
There is no single answer to combatting cyber attacks, however, by carefully analyzing the possible sources, assessing vulnerabilities, and inventorying mitigation tools, organizations can begin to address the ways to mitigate, if not eliminate, the impact on their critical infrastructure.