Web Technologies: Can the Government Prevent a DDoS Attack?
DDoS attacks are a part of life in the world of the Web. You’ll never be totally immune, but there are steps you can take to mitigate any threats.
On Dec. 8, 2010, a group of hackers launched Distributed Denial of Service (DDoS) attacks against the Visa and PayPal Web servers. Another incident occurred at approximately the same time, during which hackers hit the official Web site of the Swedish government. These attacks were largely successful. All services offered by these sites were severely disrupted.
If major corporations like Visa that operate on a global level can’t prevent these attacks, can governments and government agencies stop such attacks on their Web servers? The simple answer is “no”—or, perhaps, “probably not.”
To understand why these types of attacks are so difficult to defend against, consider precisely what a DDoS attack is and how it differs from a Denial of Service (DoS) attack. Then you can consider the steps you’ll need to take to prepare and insulate your infrastructure against such attacks.
Flood of Connections
One limitation computers share is a maximum number of simultaneous connections. At any one time, there can be no more than 65,535 connections made to a Windows-based PC or server. This is an interesting limitation, and one that takes on special significance, as it provides the basis for a standard DoS attack.
If a hacker, or group of hackers, can sustain 65,535 concurrent sessions to a server, they’ll effectively deny that service to anyone else. No one else will be able to connect until some of those connections are dropped. Once a Web server attains that threshold, it can sustain no more connections—hence the denial of service.
Generally speaking, there are two types of DoS attacks. Some are intended to crash the system (such as the “ping of death”). Others are intended to flood the system with requests for resources (bandwidth, processor time, disk space and so on). Both are potentially devastating in their own way.
You can configure your routers to not respond to ping requests or broadcasts and to not forward packets directed to broadcast addresses. Modern IP-filtering appliances are now smart enough to mitigate these threats by dropping any ping larger than a set amount. They can also be set to allow a limited number of simultaneous connections from any single IP address.
Limiting the amount of simultaneous connections is effective against DoS flood attacks if the limit is set low—something like five or six connections, for example. To generate sufficient resource requests would mean that there would need to be a very high number of hackers involved—more than could be organized into one group. Because of this, DoS hackers have had to find an alternative.
DDoS attacks let hackers get around this restriction. In a DDoS attack, the hackers aren’t sending the DoS attack from their own PC. Instead, they use a network of PCs upon which they’ve managed to place a “zombie agent.” This lets them use those PCs to fire off the DDoS attack (known as a botnet). One hacker could be in control of several thousand “zombie agents,” each getting five or six connections to a Web server without the PC owner even being aware that it’s happening.
A small group of hackers, acting in concert, could easily deny access for any legitimate user or crash an entire system. Current IP-filtering technology can’t prevent these types of attacks, so is there anything we can do?
There are mitigating steps (along with reasons why they won’t likely work):
- Legislate to ensure that all PC OSes and applications are completely secure against all malware infiltration. This is a nice idea, but a bit impractical. Even if you could do this, you couldn’t stop the fool who opens an unsolicited e-mail, double-clicks on the attachment and inadvertently installs a Trojan.
- Install your Web service application on a large number of independent servers based in different parts of the world. Each one could still be attacked, but the chances of them all going down is slim.
- Install your Web service application on a large number of independent servers in one location. Front-end this with an array of load-balancing equipment. This might be cost-prohibitive, but if the service you’re providing is essential, then how much is it worth to the hosting organization for this to not be the subject of a successful attack?
DDoS attacks happen. Even governments aren’t immune. In the summer of 2010, the Irish Central Applications Office server was hit by a DDoS attack. In 2009, during the Iranian elections, the official Web site of the Iranian government was attacked and made inaccessible. In 2001, the Irish Government’s Department of Finance server was hit by a DDoS attack.
There’s no foolproof method to prevent a DDoS attack at present. However, for mission-critical Web services, you need to do something—and sitting on your hands waiting for an attack is not an option. You just have to decide what the best strategy is to protect your organization.
Will Hogan* is the vice president of sales and marketing for Idappcom Ltd., developers of Traffic IQ Professional.*