advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

DDoS: don’t get stuck in denial

Paul King, Chief Security Architect, Cisco Systems

While moving business processes online brings many advantages to companies, such as widening customer reach and reducing overheads, the emergence of organised crime in the online world means that business needs to be sharper than ever when it comes to security.

While viruses and worms usually steal the headlines, the growing threat of a distributed denial-of-service (DDoS) attack is a form of cyber-crime to which no company can say ‘they wouldn’t target us’. While the first well-documented attacks were against gambling sites and online payment systems, no company should consider itself immune. Especially since any organisation will undoubtedly share its Internet Service Provider (ISP) with other businesses who rely on e-commerce and might be more desirable targets to criminals looking for extortion money.

So what is a DDoS attack? The aim of a DDoS attack is to paralyse online systems. Using a ‘trojan’ the attacker is able to recruit unprotected hosts and build a network of compromised machines - often referred to as ‘zombies’ or ‘botnets’ - which can then be used to flood the “victim’s” website with requests for information. This continuous and tremendous stream of data requests overwhelms the victim’s site, ensuring it cannot provide any services. The amount of data being sent to the victim will not only overload the victim’s site, but will overload the ISPs connections to the victim and the whole data centre. For this reason the protection mechanisms need to be implemented in the ISPs network and not in the data centre. By the time the traffic hits the data centre it is too late.

Hundreds, or thousands of infected computers are needed to make a DDoS attack a success, but the process of compromising a host is automated. A large number of computers - usually 100,000 or more - are scanned for vulnerabilities and the process only takes a few seconds per computer, which means an attack can be planned and executed in a matter of a few hours.

Today, DDoS attacks are usually defended by mechanisms such as blackholing, router filtering, Firewalls or IDS. Although these tools possess crucial security features, they do not offer sufficient protection against the increasingly sophisticated attacks carried out.

Effective DDoS defence does not simply include detecting an attack, but also mitigating it. Moreover, all-round protection does not only include realisation that an attack is occurring, but having a mechanism in place that is able to distinguish between good traffic and malicious attack. Complete DDoS protection must extend upstream for the protection of the access link extending from the service provider to the edge router at the fringe of the enterprise. On top of that, and important for any business, is a security mechanism that maintains reliable and cost-effective scalability.

The good news is that advanced technology to deal with DDoS attacks does exist. Special guard and detections systems are now available that instantly detect the attack on the target host, then divert the traffic to a separate location, from which malicious packages are filtered out and the legitimate traffic is redirected to the target. At the same time, non-targeted data traffic of other companies in the same data centre run freely to the host.

By offering effective defence against DDoS attacks to their customers, enlightened ISPs are able to differentiate themselves from their competitors by putting forward a value added service. Energis and Pipex, two ISPs that are already offering complete DDoS protection to their customers, have had great success with preventing attacks by constantly monitoring the data flow across networks and diverting illegitimate packages intended for the target sites.

And while you may think that your organisation doesn’t have to demand this kind of protection from your ISP, remember that more attractive DDoS targets, such as gambling or e-commerce sites, share the same ISP as your organisation - and when they are attacked, your organisation will be affected if the appropriate defences are not in place.

It’s time to check what DDoS protection your ISP offers. Don’t be stuck in denial.

Author: Paul King
Position: Chief security architect
url: www.cisco.com



 

 
Search this Site:
Google Custom Search



Click here...