The news the past few weeks has been overrun with articles regarding DDoS (Distributed Denial of Service) attacks targeted at Sony, Microsoft, banks and other entities on the Internet. These types of attacks although evolving in complexity have been around since the Internet started. How are they being done? What can be done about them?
DDoS attacks are simply an attack aimed at flooding a specific site or service with more traffic than the service can handle. How this is done in today’s Internet landscape is through 3 main methods. The first is by using compromised systems infected with Malware or Trojans creating what is known as a BOTNET to send traffic to the target system. The second is by using compromised machines with large data connections to send traffic to the target system. The third is by exploiting weak DNS servers on the Internet and spoofing requests as if they came from the target system, effectively turning them into attack systems as well.
Today’s attacks are often a combination of all of these available methods. With huge Botnets literally available to rent, and attack tools available to download freely anyone from a single semi technical individual to a large group of “hackers” is able to initiate DDoS attacks. The more high profile ones in the news recently like the Sony and Microsoft attacks on Christmas have been claimed by a group named “Lizard Squad” that is now renting access to the tool and Botnet they used.
So what can be done about these attacks you are probably asking, well that answer is not a simple one. There are changes that can be made at the ISP and Internet Host level that have been purposed for years. Changes that could create “trusted” connections to more easily identify and block non trusted connections when under attack. Changes that ISP’s could implement to block spoofed traffic, traffic saying it came from a connection they don’t really host. Changes that can be made at a protocol level of TCP/IP. However any of these changes, like we have seen with IPv6 would likely take a long time to penetrate the market.
Some action can be taken at the client level however, mainly protecting your machines from becoming part of this Botnet or compromised system network that these attackers are using. This can be done by implementing a robust up to date protection for Anti-Virus and Malware at the firewall level and/or machine level. Currently Net Informant is utilizing systems from ESET and Malwarebytes to accomplish these goals on the machine level. This coupled with firewall edge security and intelligent firewall attack surfaces through network security help prevent this issue by removing the fuel these attacks are leveraging and also protect your systems.
Although just removing the compromised systems from the equation will not stop this type of attack entirely, and the landscape of the Internet may need change to resolve this issue, it will produce a significant difference. We continue to assist clients at this level with protection of their machines and networks and keep apprised of all new developments that come to light in the defense area of these DDoS attacks.