On 8 December 2010 a group of hackers launched DDoS (distributed denial of service) attacks against the Visa and PayPal web servers and also on a Swedish government website. The attacks were successful and the services offered by all these sites were severely disrupted – which raises the question, can the UK’s Government stop such an assault on one of its web services?
Well the simple answer is ‘no’, or at least ‘probably not’. To understand why this could be so we need to consider what a DDoS attack is and how it differs from a DoS (denial of service), then we can consider how to mitigate it.
Computers are marvellous but they do have limitations. One such limitation is the maximum number of simultaneous connections, 65,535, that can be made to a Windows-based PC/server. This figure is interesting as it provides the basis for DoS attacks: if a hacker, or group of hackers, can sustain 65,535 concurrent sessions to a server then they will deny that service to anyone else.
Generally speaking there are two types of DoS attacks: ones that are intended to crash the system (such as the ‘ping of death’) and ones that are intended to flood the system with requests for resources (bandwidth, processor time, disk space etc).
You can configure routers not to respond to ping requests or broadcasts, or not to forward packets directed to broadcast addresses. Additionally, modern IP filtering appliances are now smart enough to mitigate these threats by dropping any ping that is greater than 84 bytes (for example) and by only allowing a limited number of simultaneous connections from any single IP address.
The second of these solutions is effective against DoS flood attacks if the limit is set low, say five or six. To generate sufficient resource requests would require a very high number of hackers involved – more than could be organised into one group – meaning DoS hackers had to find an alternative.
DDoS allows hackers to bypass this restriction. In a DDoS attack the hackers are not sending the DoS from their own PC. Instead they are using a network of PCs, on which they have placed a ‘zombie agent’, to fire off the DDoS attack (known as a botnet).
One hacker could be in control of several thousand zombie agents, each getting five or six connections to a web server without the PC owner being aware of it. A small group of hackers, acting in concert, could easily deny access for any legitimate user or crash a system.
Current IP filtering technology can’t prevent these types of attacks, so can you do anything? Well, yes, you could:
- Catch all the hackers and lock them up.
This is just not going to happen, and what about those sponsored by nation states? - Legislate to ensure all PC operating systems/applications are completely secure against all infiltration of malware.
A nice idea but really impracticable. Even if you could do this you can’t stop the fool who opens an unsolicited email and double-clicks on the attachment with no idea of what it will do (it installs a Trojan, of course). - Install your web-service application on a large number of independent servers based around the world.
Each one could still be attacked but the chances of them all going down is slim. - Install your web service application on a large number of independent servers in one location and then front-end this with an array of load-balancing equipment.
This might be cost-prohibitive but if the service you provide is really important, say for instance the self-assessment tax system in the UK, then how much is it worth to the nation for this not to be the subject of a successful attack?
DDoS attacks happen and governments are not immune. There is no foolproof method to prevent one at present, however, for mission-critical web services you need to do something – sitting on your hands waiting for an attack is not an option.
Idappcom is exhibiting at Infosecurity Europe 2011, the show for information security professionals that’s held 19-21 April at Earls Court, London. For further information visit the website.
