What Are DoS Attacks?

Denial of Service attack or DoS attack (not to be confused with DDoS attack) is the process by which requests are sent across a network from a singular attack point to a single or multiple target (destination) server and over-whelming it with requests that are bogus. By over-whelming the request, genuine requests are not entertain and thus – denial of service is experienced.

A real world example (sort of) would be…

Suppose you are able to clone yourself…now you make a 10,0000 clones and start calling 411 (Directory Assistance):

Clone: [Calls Directory Assistance]
Operator: “Hello, Directory Assistance, what city please?”
Clone: [You say nothing]
Operator: “Hello?”
Clone: [You still say nothing!]
Operator: [She hangs up after 5 seconds into your call]

Now imagine that this Directory Assistance Center only has like 25 operators. Can you picture 100,000 callers (your clones) calling up Directory Assistance and keep each line busy for 5 seconds and then hanging up.

Now a “genuine” user lets call her “Mary Jane” needs the number of a garage shop. She calls Directory Assistance and finds its constantly busy. As she is a real-person, she dials and dials and dials, but after 20 tries, she simply gives up in frustration!

Have the same scenario applicable to say George, Alice, Mike, Bertha, etc. All these users will keep on trying and eventually give up. The problem? Well very simply, the 100,000 clones who are dialing the Directory Assistance have made it impossible for others to get through. Its simply mathematics. They have a higher chance in getting through (because of their sheer number) than an average user has.

You (as a genuine caller) have just experienced denial of service. The denial of service attack was directed at the Directory Assistance.

In the computing world…this can happen as follows:

Lets say you are an owner of an online web store and you sell iPods. You spend a lot of money in SEO (Search Engine Optimization), and in say online advertising on Google and Yahoo! and their likes.

You have a few competitors but nothing so serious. However, there is essentially “one” company that you would not only call a competitor but a threat (and they happen to have an online web store too – just like you).

Now lets alter the scenario a little bit… Sales are hurting because your so-called competitor (read: threat) is taking chunks of your business away because of their sleek marketing and advertising campaign, etc. They are always beating your price by 1.0%, free shipping and lets face it – they have more muscle because of their sales volume and you don’t.

You are simply jealous. Plain and simple! You wish they were dead!

Now, lets put on our ‘evil’ cap! Good! Now we are evil.

You decide to write a program on your machine that will open an HTTP request to a certain domain name and then that’s it. The program simply keeps on opening an HTTP request and then forgets it. The program you write is able to open say 1,000 requests per second.

Your target? – your competitors website.

Your competitor is hosted on say a 10Mbps line with some carrier/data center.

You send in your request number 1 – your competitor’s server acknowledges the HTTP request and says “Hi – Come on in!” (in computing terms) and waits for say 300 seconds (keeping the door open for you to come on in). After 300 seconds – the door is closed.

After the first second…(with 1000 requests per second throughput rate)

Your competitor’s server now has 1000 HTTP requests (or better known as Sessions) OPEN – for the next 299 seconds.

At the 2nd second – 2,000 Sessions are open for 298 seconds (approximately).

Six seconds later – 6,000 Sessions are open for 297 seconds (approximately).

Ten seconds later – your competitor’s server dies!

Mission accomplished!

How you say? Well – very simply, your competitor’s server is a physical machine with limited RAM and limited bandwidth, etc.

For every HTTP (web request), the server allots a bit of space to each session, so does the CPU and hard disk, with so many sessions coming in – RAM runs out of space, and the CPU and other computing resources cannot keep up with the incoming requests and crashes or denies any further requests from coming in. Not to mention – the bandwidth itself.

All this is automated. All requests are coming in from a “single” source – you!

So what do you achieve? – How about sales!!! How you ask? (I see you’re very skeptical).

Well – very simply, potential buyers are going to your competitors’ website and can’t seem to load it (or open it). Remember Mary Jane above and her trying to call in Directory Assistance! Well these potential buyers are real people too. They will give it a few seconds, try 2-3 times and if the website still doesn’t open up – they will say ‘dammit’ and move on to the next one – which hopefully would be yours!

What you just did was give your competitor a Denial of Service Attack and profit from it.

Whilst the above were examples cited from mind, it does make more sense to read up on other examples from around the web:

Here are some interesting reads. I have personally read them and they will help/aid you in understanding DoS attacks. You have no idea how much clarity I got with regards to DoS attacks, by simply going through the resources mentioned below.

• DoS Attacks definition from Webopedia

• Category: Denial of Service Attack definition from Wikipedia

• Denial of Service definition from TechTarget

• Denial of Service definition by CERT

• Denial of Service definition by US-CERT

• Denial of Service Attack definition by Answers.com

• Denial of Service Attack definition by Labor Law Talk

• The Tech FAQ – What is a Denial of Service Attack?

• SecurityFocus – Demystifying Denial of Service Attacks

What are DDoS Attacks?

If Dos Attack was the school bully. The DDoS is a Mafioso Gang!!!

Distributed Denial of Service (DDoS) Attacks are the same thing pretty much as a Denial of Service (DoS) attacks, except more than one attack computer is used, hence the word distributed attack. In DoS attacks, the source IP that is attacking you is ‘singular’ (one). In DDoS there are many, many source IPs.

Most of these “attacking” computers are usually compromised systems and the owners have usually no idea that their machines are being used for an attack.

Reflective DoS Attacks are also classified as Distributed Denial of Service Attacks.

Another way of saying it is that DDoS attacks are more punishing than DoS attacks as they come in from multiple sources, hundreds if not thousands of sources.

Hackers and exploiters, today use both simplistic and complex mechanism of hijacking computers with spyware, adware, malicious applications, so that they essentially control the computer that is compromised.

Such computers are used to send out (unknowingly to the user), massive amounts of spam, compromise other hosts (computers) by running cracking/exploit tools, be part of a larger group that is attacking, or can be used as proxy machines for Botnet operators, i.e. your machine becomes a Zombie.

DDoS attacks can be crippling in nature. They can flood even the largest of bandwidth pipes. Bring down or even slow down Tier 1 carriers and for the end-user (recipient) of the DDoS attack. Its simply too painful to describe. You are almost helpless. I stress on the word almost. There is hope after all, but more on that later.

A DDoS operator with a single command can wreck havoc at the end user by inundating the end user with either:

• Too many packets so as to bring the router down (overload the router’s packet per second handling capacity)

• Too many sessions

• Flood the bandwidth of the end-user (and in most cases the company they connect to)

It is not always the case that the end-user is the victim. DDoS attacks have many direct and indirect victims. The computers users in the attack are victims of slowdown, origin – which translate to legal issues, bandwidth bills, routes that get choked, data-center or upstream provider of the end-user that has to work feverously to stop the attacks because the spill-over effect from the attack now is starting to affect other users on the network.

DDoS attacks (as opposed to DoS) are more prominent and troublesome for network operators, carriers, datacenters and end users. With the advent of more and more reliance on computers and literally thousands of new machines joining the Internet everyday – which translates to thousands of new users who are not computer savvy (let alone security savvy), add to the problem.

With the recent proliferation of broadband, the attack source pipes are getting fatter and fatter, having the ability to pump out more malicious traffic than ever before. But perhaps the largest problem with respect to DDoS is that as more and more people are using web for surfing, spyware / adware posse a very serious threat towards botnets colonization. To top it all, a large majority of users have unpatched systems (read: vulnerable), no firewalls and no antivirus installed. As the famous saying goes in Star Trek – “Resistance is futile, you will be assimilated”. Lets just hope this is not the case.

What are the Different Types of DoS/DDoS Attacks?

Denial of Service Attacks is like Baskin Robins. They come in many flavors.

They are getting complex as the days go by and sometimes classification of the different types of attacks is a matter of opinion. One vendor may classify only 5 types, whilst the other 10 types. It really is a matter of interpretation as far as vendors go (not to mention marketing as well). No matter what the opinion or nomenclature may be, one consensus to which we all agree on is – the problem is real and getting big.

Attacks are generally based on ICMP (Internet Control Message Protocol) Floods, Smurf Attacks (which are also ICMP floods, but uses the broadcast address), UDP (User Datagram Protocol) Flood, TCP (Transmission Control Protocol) Flood, TCP SYN Flood, Spoofing (by falsifying the IP address and attacking), Ping of Death (pretty much outdated now), Application Attack (attacking a vulnerability in an application), Teardrop (IP fragmentation, again pretty much outdated now), Fraggle Attack (which is similar in nature to a Smurf Attack, except it uses UDP as opposed to TCP) and many more. The more recent ones are: Reflected Attacks and DNS Amplification Attacks [Read Article 1 - Article 2].

In any case, the main thing to learn about DoS/DDoS attacks is that the goal is to overwhelm the network and the server resources, denying genuine users access to a particular service (or services).

For example someone can do a DDoS attack on a DNS Server and make it inoperable for other DNS servers to collect information from, or for visitors to be redirected to the correct IP address where the information being sought is.

DoS/DDoS attacks typically are done on Port 80 (HTTP Service) as that is perhaps the most common of all service. However, this does not mean that SMTP or POP ports are exempted or that you will never experience a DDoS attack on Port 443 (HTTPS Service). It really depends on three things:

• What the attacker wants to do? (Teach you a lesson? Make you pay? Bring your network down to its knees?, etc.)

• What sort of services can the attacker attack on?

• How your security gear (if at all present) will handle all this? (Will it succumb to the attack pressure? Will it 100% mitigate it? Will it agitate the attacker in increasing size of the attack?)

With so many attack tools under development and being written by the hacker community and the novices, etc. almost every conceivable service can now be attacked.

Why Do People Experience DoS/DDoS Attacks?

“To expect the world to treat you fairly, because you’re a good person, is somewhat like asking a bull not to attack you, because you’re a vegetarian!”

- Quote from the Reader’s Digest -

Why do people experience graffiti on their walls? Why do car owners get car-jacked? Why are people robbed of their mobile phones? Why do laptops get stolen? Why do people get beat-up for just staring at someone?

Its all part of our complex life. The “dark” side if you will. In the real-life society we have crime – its something we learn to live with and accept.

1. Its not necessary that every car that is stolen or jacked is “sold”. Most of the cars stolen are done by teenagers simply for joy rides. The idea here is that…

   1. that they can indeed steal the car – i.e. its doable and

   2. for the pure thrill of driving it. Once that is done, its over, the car is parked somewhere and hopefully recovered. Whether or not any damage is done to the car or not is another debate. But the motive here was not economics – but personal driving pleasure. Plausible scenario – because its doable!

2. Some cars are stolen simply because of hate-crime. A person may be hated enough by someone so that his/her car may get stolen. Just to exact revenge or deliver punishment or to make a personal statement. Cause economical loss or degradation. Plausible scenario for attacks – personal motive.

3. Then the third type of criminal here is the one that does it purely for economical gain. Cars are stolen, dismantled/stripped-off and parts are sold-off. The intent here is not joy ride or exacting revenge, its simply Dollars ($).

The online world too has laws and criminals who break them. However, there is a difference. In the online world you can easily extend across countries and borders without any effort. The inherently is no distinction between an IP address in Pakistan and an IP address in US. Both look the same to the attacker. Laws are different for each country. Some countries don’t have cyber-laws, some do. Prosecution is not easy as it sounds. Extradition is also a major problem. Some countries simply do not give priority to cyber crime– be it from a country that has cyber laws or does not.

How do you go about convicting a person who is the owner of the source IP of the attack but is a residential DSL user and is oblivious to the ‘technology’ associated with computers? Before you answer – its not that easy. You’re talking thousands of such ‘simultaneous’ case to be drawn into a singular case!

Who wins? The hackers/attackers do! They take advantage of their geographical position. Eastern Europe for example was notorious for harboring hackers who simply could not be prosecuted due to the weak cyber laws and lack of implementation of these laws.

Who pays for the lost productivity, connectivity, excess bandwidth, frivolous lawsuits, tech time lost in mitigation, etc.?

Hackers/attackers too mimic the real-world scenario. There are script-kiddies who are essentially kids running harmful scripts to cause attacks/damage. Your real-world equivalent of joy-riders!

Then comes the vengeful hacker/attacker that could be a script-kiddies but attacking purely for vengeance.

Last, but not least, there are the professional hacker, who’s only goal is to make money via extortion. Its plain and simple – “Pay me $ X or I will attack your network and paralyze your site access”.

Hackers attack because they can do so with the most minimum of efforts. Its not like they need physical strength, or endurance / stamina to out-chase a long police run. No. They simply need to compromise a system and make it the source for attacks. They will attack just to show it can be done, literally just for kicks on a Friday night. They will attack you for humiliating them in an email or a public forum, or if they found something not-so-nice on your website or blog, they will attack you for simply being of a different race, color, religion, country, etc. They will attack you for money, for your successes online that you may have with your store, they will attack you for a myriad of reasons. They may even attack you for no apparent reason.

The most unnerving fact about this entire DoS/DDoS scenario is that sooner or later you will become part of the attack statistic.

How Do DoS/DDoS Attacks Work?

Depending on the type of attack that the victim network is experiencing – each DoS (or DDoS) attack can be different.

It would be almost impossible to try to explain in a singular paper on how all the different types of attacks are actually working, so I’ve included a list of external links that one can read up on.

To understand graphically on how DoS/DDoS attacks occur, here is a video (Size: 3.760 MB) that I downloaded from the website of Captus Networks a few years ago. It shows (in a crude sense) as to the DoS/DDoS filtering effect that takes place when such mitigation devices are in place. You will need Microsoft’s Media Player to view it. Captus Networks by the way is no longer in business.

I also happened to have this old Flash visual of what DoS/DDoS attacks are (Total size: 565kb) from Mazu Network’s website.

Here are some links and papers that do an excellent job of explaining how DoS/DDoS attacks occur (all the links below are to external Websites):

• How a “denial of service” attack works (A very simple article)

• Denial of Service FAQ Basic

• Distributed Denial of Service Attacks

• Watch some videos on YouTube regarding “DoS Attacks”

• Computer Crime Research Center’s Network Security: DoS vs DDoS Attacks

The list of websites that are descriptive in nature as to how DoS/DDoS attacks work are plenty. The above read should suffice in the basic explanation of how DoS/DDoS works. There are however many papers, presentations by quite a few people / companies on the analysis of DoS/DDoS. Please see the reference section for more information.

Can DoS/DDoS Attacks Be Stopped?

The answer is Yes (and No).

If you are asking if the source of these attacks can be stopped. That is very difficult. It involves a lot of technical expertise, resources, man-hours, etc. Theoretically it can be stopped, but from the looks of it – it does not seem very probable. So, “No” is the correct answer if you’re asking if the Source of DDoS attacks can be stopped. Do note in some instances it is possible to stop the source of a DoS (not DDoS) attack.

“No” would also be applicable to a massive virus/worm outbreak that does a denial of service attack on a particular website. For example the Yaha Worm or the most recent case for SCO’s worm attack.

Can the destination IP Address that is being attacked be stopped? The arrival of the attack traffic (packets) itself cannot unilaterally be stopped. But you can mitigate (lessen, diminish, tone down) the attack traffic (packets) so as not to affect your network and computing resources, i.e. the attack traffic / packets will not harm your network and server resources which you are trying to protect. In short – you can filter traffic.

Needless to say – there is a limitation as to the “size” of protection you can offer. We will discuss more of this later.

But to anyone who’s frustrated by the above answer – another simplistic way of answering the question is – Yes! There is help. There are ways to stop DoS/DDoS attacks and from it affecting your website/network!

Recent progress have been made at carrier level – data-centers and the fundamental technology itself for early detection of DDoS attacks and to thwart them (i.e. mitigate) these at the ingress side.

Most carriers today employ sophisticated equipment that can detect abnormal traffic behaviors and thwart these. The most famous one that comes to mind is Arbor Networks.

What sets Arbor Networks apart from virtually everyone else, is their famous Fingerprint Sharing Alliance – a worldwide community of Tier 1 and Tier 2 carriers who use Arbor equipment to talk to one another to thwart DDoS attacks. Do read up on the Fingerprint Sharing Alliance – its worth it.

Today, service providers are constantly learning about their network traffic – understanding what is ‘normal’ to the network and what is ‘abnormal’… a process known as NBA – or Network Behavior Analysis.

By having a baseline statistical model of their traffic, any traffic spike would be categorized as abnormal and alerts be issued. Service providers then check to see the reason for the spike – it could be a genuine traffic spike (new Microsoft Service Packs being downloaded), etc. and depending on the identification of the traffic, specially crafted ACLs (Access Control Lists) are applied at the peering edge to thwart such attacks.

For entertainment purposes: I would stress you read this genuine article regarding the “Attack of the Bots” in Wired Magazine. It is informative and gives you some form of semblance as to the magnitude of destruction of DDoS attacks. Here is another article also in Wired Magazine – “Hackers Take Down the Most Wired Country in Europe” (Wikipedia: Estonia)

Another resource I really enjoying reading (partially because our company is an Arbor Reseller for Pakistan), is Arbor’s ASERT (Arbor Security Engineering & Response Team) Weblog.

How To Stop DoS (or DDoS) Attacks?

Well for starters – you can start by praying!

On a serious note, you’ll probably end up praying, being on the receiving end of a DDoS attack can be the most helpless situation one is faced with.

Expecting that a DoS/DDoS attack will simply vanish and never come back – is a probable scenario, but one in which you are not in control.

Many websites experience DoS/DDoS attacks – some for a couple of hours – some for days, and just as suddenly the attack came – it goes away the same way! These few websites are the lucky ones – a small minority!

For others – the situation is not so pleasant. DoS/DDoS can be very expensive (in terms of downtime) and costly in terms of the bandwidth. Many websites that get attacked are hosted with Web Hosting Providers or Application Service Providers. Some are on shared servers, some on dedicated and some on co-located servers.

When websites experience denial of service attacks, chances are if the mitigation gear is not in place, the website or whatever service is being attacked will succumb (buckle) under the load. This load also affects your upstream provider. In many instances your upstream service provider for bandwidth will cut you off from the rest of the world – a term known as blackholeing [a process by which your advertised path for your website/IP address is simply removed, i.e. incoming traffic at the router destined for your website/IP address would be dropped, resulting in 100% packet loss].

I also encourage readers to read this generic, yet informative article on Distributed Denial of Service – Protecting Critical Systems.

Some upstream service providers (depending on your network/bandwidth contract) will charge you for the excess bandwidth that is coming in – this can very quickly add up to a huge bill.

These extreme measures (such as blackholeing) or expensive bandwidth billing will continue to remain in place until and unless the anomaly (i.e. the attack) subsides.

Here is perhaps the only good definition / explanation of Black-Hole Filtering I could find on the web.

Black Hole Filtering

ISPs have other options available that depend on routing changes, such as black hole filtering. Black hole filtering works by forwarding malicious traffic to an imaginary interface known as Null0 – similar to /dev/null on Unix machines. Since it’s not a valid interface, traffic routed to Null0 is essentially dropped. Moreover, this technique minimizes performance impact – a useful feature during the DDoS investigation so the rest of the network remains stable under the heavy load.

An important point to keep in mind when addressing a DDoS attack is that filtering at the target is not the best option. Whether it is a firewall or border router stopping the offending packets, a huge portion of incoming bandwidth is still being consumed – delaying legitimate traffic. To truly alleviate the effects of a DDoS flood, the traffic will have to be blocked at a point higher up the chain – likely a device under a large providers control. This means that many of the products that claim to prevent DDoS attacks are ultimately useless for smaller networks and their end users. Moreover, it means that solving a DDoS attack, at some point, is out of our hands. It’s a frustrating truth realized by anyone who has ever dealt with the problem.

Credit: Closing the Floodgates: DDoS Mitigation Techniques by Matthew Tanase 2003-01-07

Handling DoS/DDoS attacks is not a singular option. It involves a lot many organizations / companies to work together for a common cause – defeating the attack.

An as example, it could involve your IT department, your upstream service provider – their upstream provider at times (in the event they are not Tier 1 providers), your solution vendor, law enforcement, etc.

Listed below are some excellent resources (papers, websites, etc.) from where one can learn how to stop DoS/DDoS attacks.

• Consensus Roadmap for Defeating Distributed Denial of Service Attacks – A must read!

• Help Defeat Denial of Service Attacks: Step-by-Step – A must read!

• CERT – Tech Tips Section (Multiple Links) – A must read!

• Denial of Service or “Nuke” Attacks

• SANS Institute – Intrusion Detection FAQ

• RFC 2267 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing – A must read!

• DDoS Mitigation Techniques (Distributed Denial of Service) – This is an excellent repository of papers that discuss on how to handle DDoS mitigation – part of the Honeypots.net System.

• A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms (PDF File, Size 99kb)

• INFOSYSSEC: Denial of Service Attacks – DDOS, SMURF, FRAGGLE, TRINOO – A must read!
  (also posted below in Different Types of DoS/DDoS Tools)

• Closing the Floodgates: DDoS Mitigation Techniques

• Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks by Cisco

• Protecting Web Servers from Distributed Denial of Service Attacks

• ISP Security – Real World Techniques – Remote Triggered Black Hole Filtering and Backscatter Traceback

• Denial of Service (Articles & Links)

• Stopping Attacks: The importance of Denial of Service (DoS) Security (PDF File, Size: 231kb)

• The SANS Top 20 Internet Security Vulnerabilities – A must implement resource!

• Juniper Networks: Enabling Unicast Reverse-Path Forwarding Check

• Securing against Denial of Service attacks

• Cisco: Configuring Unicast Reverse Path Forwarding

• Denial of Service Attack Inhibitor

If your website is on a shared hosting or dedicated hosting platform with some service providers, the above articles are definitely helpful, but it would also help that you seek the services of a security specialist who can harden your machine down.

A very good source for the hosting world are the forums at Web Hosting Talk. The Technical Tutorials Section is a must read. I have for ease of navigation listed some important tutorials below, even though most of these tutorials are applicable to the Linux environment.

• APF Firewall Installation

• KISS Firewall Installation

• Server Security Checklist – Secure your box now!

• Blocking entire countries with KISS

• ICMP Attack keeps crashing my server

• Stopping SYN Attacks using IPTables

• HOW-TO: Blocking countries from your site (PHP)

• Banning a RANGE of IP Addresses based on violation of 1 IP address?

• HOWTO: Limit IP connections

• Installing Mod_Security

• How-to: Drop INVALID SYN packets with iptables

• Apache 1.3 and 2.0 Flood/DoS/DDoS Protection with mod_dosevasive (Avoiding Denial of Service Attacks)

Even though I tend to be vendor neutral, I would still like to stress the fact that there is this beautiful process called “Transaction Rate Limiting (TRL)” by Foundry Networks.

I’ve decided to do a cut-and-paste on what exactly is TRL and why it is so helpful. More on TRL can be found on the Foundry Network’s Website.

Transaction Rate Limiting

Transaction Rate Limiting (TRL) provides a way to monitor and limit traffic from any one IP address. When this feature is enabled, the ServerIron counts the number of bytes received from any one IP address over a specified interval. During this interval, if the number of bytes received from an individual IP address exceeds a specified threshold value, traffic from that IP address is held down and not processed for a specified number of minutes. You can use Transaction Rate Limiting to ensure that traffic from a single IP address does not monopolize resources on the ServerIron.

You apply Transaction Rate Limiting to individual interfaces on the ServerIron; only traffic on the specified interfaces is monitored. Transaction Rate Limiting can be applied to TCP, UDP, and ICMP traffic. For TCP and UDP traffic, you can apply Transaction Rate Limiting to up to four destination ports.

Transaction Rate Limiting, when used in conjunction with the SYN-Guard feature (where the ServerIron waits until a three-way handshake is completed with a connecting client before forwarding packets to the destination server), provides an additional defense against TCP flood attacks. The SYN-Guard feature shields the destination server from incomplete three way handshakes, and the Transaction Rate Limiting feature causes TCP traffic from the attacker’s IP address to be held down, and the attacker’s IP address to be logged.

When traffic from an IP address is held down, a message is written to Syslog. In addition, you can display a list of the IP addresses whose traffic is being held, as well as statistics about that traffic.

Credit: Foundry Networks.

Who are the Major Players in the Market for Anti-DoS / Anti-DDoS Equipment?

Coming to the $64 Million question – who can protect you from DoS/DDoS attacks.

The market for anti-dos/anti-ddos measure has grown considerably due to the growing menace of denial of service attacks. In addition to the hardware vendors, there are companies that offer “bandwidth” cleansing (scrubbing as it is technically called) from DoS/DDoS infected traffic. There are also a few number of hosting companies / data-centers that filter DoS/DDoS attacks.

I would like to make an important comment here: OEM (Hardware) vendors will tell you that their boxes work great, hosting companies will say that you need more than just mitigation devices (I agree), bandwidth scrubbing companies will say there is much more to this than just mitigation and other devices and personnel involvement, it requires expertise, etc.

To be honest, there is a sales pitch in all of this as well as large amounts of truth & experience. Every website that suffers a DoS/DDoS attack is sort of unique in its characteristics. Sometimes merely placing a firewall or a small entry-level mitigation device will resolve the problem, on the other extreme, you could be looking at 20,000 zombie machines attacking you with sustained bandwidth attack of up to 3,000Mbps (that’s 3Gbps!). [Read this article on such an attack: How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won].

Since I first originally wrote this paper, a lot has changed. I’ve learnt of services and boxes that can thwart DDoS attacks, and have personally have worked on some of these. The threats have changed – not so bynature, but by the numbers. Its been a magnitude shift. Where as 2-3 years ago a 4-5GBps attack was considered big, it is today no longer big.

Arbor Network publishes something called the Worldwide Ne

Bottom line, you will need to make calculated and well-researched decisions before implementing any solution. If you can afford the services of a good security consultant, who is experienced and independent, please do so. Don’t be afraid to ask for evaluation units or 30-day money back guarantee if the device &/or solution fails to deliver! No-cost / No-obligation should be your shopping mantra!

As the supplier market is small, you will see some companies bad-mouthing the others more than one does in the competitive world. I’d be very wary of sales executives who happen to trash other competitors at every opportunity they get. You will be confused and put into self-doubt at every conceivable opportunity – don’t be intimidated. As the old saying going – go with your gut feeling! Also, don’t hesitate to experiment and last but not the least – when in doubt – check it out! All you have to do is ask. You can email me at faisal(at)netxs.com.pk or alternatively, ask questions in the various forums &/or mailing list. There are people out there to help you out.

Listed below first are hardware vendors in no particular order:

Arbor Networks [Major Player]

Website: www.arbornetworks.com

Arbor’s solutions are built upon the Peakflow® Platform, an architecture for network-wide data collection, analysis, and anomaly detection. This unique Platform creates models of normal network behavior from the edge through the core by analyzing flow statistics, such as Cisco’s NetFlow, or raw packet data. Then, in real time, it compares traffic against these baselines to perform network anomaly detection. Product lines are PeakFlow X & PeakFlow SP.

Important: The Fingerprint Sharing Alliance is a coalition of telecommunications companies around the globe that are stamping out cyber attacks that cross company boundaries, continents and oceans. Arbor Networks added the Fingerprint sharing capability to Peakflow SP to allow companies to share attack fingerprints automatically without revealing any competitive information.

Cisco (formerly Riverhead Networks) [Major Player]

Website: www.cisco.com

Cisco Guard DDoS Mitigation Appliances. Cisco Guards detect the presence of a potential DDoS attack, divert traffic destined for the targeted device, and identify and block malicious traffic in real time, without affecting the flow of legitimate, mission-critical transactions. As a result, business operations of targeted organizations continue running, even while under attack, ensuring critical corporate assets are always protected.

Cs3, Inc.

Website: www.cs3-inc.com

Cs3′s patent-pending MANAnet Shield (MANA means “soul” or “essence” in the languages of the Pacific Islands) is a family of products and technologies that provide comprehensive, infrastructure-level defenses against both incoming and outgoing packet-flooding Distributed Denial of Service (DDoS) attacks on the Internet. MANAnet Shield incorporates both active, inline solutions and passive, off-line solutions. MANAnet FloodWatcher is a passive, off-line device that monitors network traffic parameters, detects anomalies indicative of a DDoS attack, and alerts administrators with critical information to take remedial actions.

F5 Networks, Inc.

Website: www.f5.com

BIG-IP is an amazing piece of hardware that provides high-availability load balancing, fast and extremely intelligent layer 7 switching, granular interactive control, DoS protection, resource pooling and a number of other features to help protect an enterprise’s Internet presence.

Fortinet

Website: www.fortinet.net

Fortinet’s award-winning FortiGate™ series of ASIC-accelerated anti virus firewalls detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more — in real time. As the recognized leader in Unified Threat Management systems, Fortinet protects the networks of everyone from small offices to large MSSPs. The capabilities of all FortiGate systems include: Antivirus, Content Filtering, Traffic Shaping, Firewall, VPN, Intrusion Detection and Prevention, Antispam and Virtual Domains.

Foundry Networks

Website: www.foundrynet.com

Their Layer 3 Backbone Switches (BigIron), their Routers NetIron and their Layer 4-7 Switches (ServerIron), all have traffic limiting features and DoS protection.

Juniper Networks

Website: www.juniper.net

Their Routers as well as their Netscreen line of firewalls have very good DoS/DDoS detection and mitigation. The Netscreen line of firewalls can actively stop DoS/DDoS attacks (depending on the bandwidth and setup-rate).

McAfee (Network Associates)

Website: www.networkassociates.com

McAfee IntruShield’s market-leading intrusion prevention solutions redefine the deployment of network security by enabling Enterprises, Carriers and Service Providers to deploy the most comprehensive intrusion prevention for proactive threat protection against known, zero-day, DoS and encrypted attacks. IntruShield’s pioneering technology provides unparalleled prevention accuracy, centralized management, enterprise-class scalability an

Mazu Networks [Major Player]

Website: www.mazunetworks.com

Mazu Networks is a behavior-based, network security company with solutions that analyze network traffic and behavior to help enterprises operate networks more securely. Mazu has two products. The Mazu Profiler is an internal security solution designed to detect and mitigate worms and internal threats. The Mazu Enforcer is a perimeter security solution designed to detect and mitigate denial-of-service attacks.

Melicor, Inc.

Website: www.ddos.com

Our Mission is to introduce a new network and application CyberWarfare Defense Layer, to provide for the first time in ten years a major technological advancement in security technology, since firewalls were developed: a comprehensive and effective protection against distributed Denial-of-Service (dDoS) attacks, eDoS (Spam, Phishing), and vDoS (Virii, Trojans, Worms, and other Malware) attacks.

NetScaler, Inc.

Website: www.netscaler.com

NetScaler Application Delivery Systems combine the features and functions of traditional data center point products – load balancing, caching, compression, SSL acceleration, attack defense, SSL VPN – into a single network appliance, built from the ground up to maximize the performance and security of data center applications. Building intelligent application infrastructures is challenging, as applications typically require end-to-end connections between servers and clients, hiding individual application requests. This “hiding” of individual application requests leaves many application-layer solutions crippled in making intelligent application decisions.

Nortel Networks, Inc.

Website: www.nortelnetworks.com

Nortel’s Alteon family of switches offer DoS protection.

Radware

Website: www.radware.com

Radware Application Security Solutions isolate, block and prevent application level attacks at 3-Gigabit speeds. Coupling unmatched security performance with advanced security intelligence Radware immediately thwarts viruses, intrusions, Trojans, worms and Denial of Service attacks, letting you securely connect and protect all mission critical applications.

Sandvine

Website: www.sandvine.com

Reduce the Impact of Denial-of-Service Traffic on your Network. Worm activity, often the prelude to both spam and denial of service (DoS) attacks, has shifted focus to residential broadband subscribers — the weakest, most uncontrolled point in the Internet. Home users are difficult to protect en masse, and service providers are forced to bear escalating support costs and attacks on their ability to deliver the best possible Internet experience.

Tipping Point

Website: www.tippingpoint.com

TippingPoint, a division of 3Com, is the leading provider of network-based intrusion prevention systems that deliver in-depth Application Protection, Infrastructure Protection, and Performance Protection for corporate enterprises, government agencies, service providers and academic institutions. Our innovative approach offers customers unmatched network-based security with unrivaled economics, ultra-high performance, scalability and reliability. The TippingPoint Intrusion Prevention System (IPS) delivers the most powerful network protection in the world. The TippingPoint IPS is an in-line device that is inserted seamlessly and transparently into the network. As packets pass through the IPS, they are fully inspected to determine whether they are legitimate or malicious. This instantaneous form of protection is the most effective means of preventing attacks from ever reaching their targets.

TopLayer [Major Player]

Website: www.toplayer.com

Top Layer’s Attack Mitigator IPS is a family of high performance, ASIC-based intrusion prevention solutions with intelligent blocking and control against the most prevalent cyber attacks. Hybrid attacks such as HTTP worms, DoS / DDoS attacks, protocol and traffic anomalies, IP spoofing, SYN flood attacks, and more, are accurately detected, and stopped in real-time. The Attack Mitigator IPS allows the network security administrator full control in selecting how the device will respond to detected attacks. Precise but flexible actions against blocking malicious and suspicious traffic include monitoring, alerting, limiting and blocking. Attack Mitigator IPS offers 100 megabit through multi-gigabit solutions for maximum performance.

Important: Perhaps one of the most widely deployed solution out there to counter DoS/DDoS.

Webscreen

Website: www.webscreen-technology.com

Webscreen Technology Inc. is proud to present the Webscreen family of Network Security products. Specifically tuned to detect and prevent Network Integrity attacks, Webscreen makes use of a sophisticated heuristic algorithm to separate malicious from legitimate traffic. Webscreen customers experience very high levels of network accessibility even under the most vicious attack, and experience enhanced performance of other network components.

Here is a brief list of hosting companies that can fend off DoS/DDoS attacks. I am borrowing a word we use so much else where – these companies allegedly can protect you. Be very careful of such statements. Ask all the relevant questions. Read the Terms of Service, Acceptable Usage Policy statements as offered by these hosting companies. Many companies have generic DoS/DDoS protection, which means, sure enough the gear can fend-off DoS attacks, but if the attack size increases, either of two things can happen: (a) the mitigation device will start to get seriously overloaded, or (b) the company’s Internet connectivity will start to get choked. In either of the case, they (the company) will unplug your server or blackhole you, until the attack subsides. If you read the forums on WHT you will notice a lot of such incidents having been reported, of companies advertising the fact that they offer DoS / DDoS protection. What they offer is – limited protection! Be very alert about such claims. Remember – its marketing afterall.

Specifically ask if they will turn your server off or null-route you if the DoS/DDoS exceeds a certain capacity. Ask around as to what setup-rate can they fend against. Specifically ask if you were attack at 540Mbps sustained for 11 days, will they shut you off? Ask if they include or exclude the DoS/DDoS traffic as part of your network bill? They should not!, etc.

Do go to Web Hosting Talk and search for reviews on these companies, you can also Google for the same.

Black Lotus

Website: www.blacklotus.net

Comment: Black Lotus has been offering DDoS mitigation services since 1999 when such attacks were a new trend and the first widescale attacks were just beginning to make national news. Our consultants are certified information technology engineers with terminal degrees from prestigious universities in their field. In essence, we know what works and what does not and can work with you to build a functional solution based on the needs of your organization. No two DDoS threats are alike, so an individual consultation is necessary to determine the proper solution.

Cybercon

Website: www.cybercon.com

Comment: Based out of St. Louis, Missouri, USA. Expensive, but these folks have the knowledge in dealing with attacks.

DDoSProtection

Website: www.ddosprotection.com

Comment: Our company is aimed at helping small-to-medium online businesses to protect themselves from DDOS attacks and other security vulnerabilities.

EV1Servers

Website: www.ev1servers.net

Comment: All IPs on all servers at both EV1 data centers are now protected by FireSlayer, a combination of EV1-developed and commercially available anti Denial of Service (DoS) technologies. This service is 100% automatic and 100% free.

GigeSERVERS

Website: www.gigeservers.com

Comment: Based out of Chicago, Illinois, USA. Eight years of experience in DoS/DDoS attacks.

RackSpace

Website: www.rackspace.com

Comment: The Rackspace network has been engineered from the ground up to accommodate the high-availability demands of our customers’ mission-critical Web applications. Our Cisco-powered, Zero-Downtime Network™ has unique self-healing attributes that allow us to deliver on our 100% infrastructure availability guarantee.

Staminus

Website: www.staminus.net

Comment: We offer a wide array of dedicated server hosting solutions so please feel free to navigate our site or sitemap. Our dedicated servers come with a 99.9% network uptime guarantee so you can have peace of mind..

The Planet

Website: www.theplanet.com

Comment: Based out of Dallas, Texas, USA. They use the Savvis Data Center. 19Gbps available bandwidth.

Listed below are other companies that you should also check out with respect to DoS/DDoS solutions:

• Green Gate Labs

• Block-DDoS

• DoS/DDoS News Source

• Tenable Network Security

• Prolexic Technologies – Comment: Provides scrubbing services for DoS/DDoS attacks

• Extreme Networks

• NIKISUN – Network Security Solution

• DDoSWorld – Portal

• CyberSheild Networks, Inc

• SysMaster – DoS Solutions

Where Can I Learn More About The Tools That Initiate DoS/DDoS Attacks?

DoS/DDoS attacks are not just caused by specialized software applications or tools. Viruses and worms equally can be programmed to deliver denial of service attacks.

DoS/DDoS tools can be classified under the following:

• Viruses

• Worms

• Stress Testing Tools

• Maliciously designed Trojans/Zombie

• DoS/DDoS programs.

As the number of trojans, viruses and worms that can do DoS/DDoS attacks are so many, your best bet to find out or read up on them is to go to the various websites of antivirus companies and type in “denial of service” in their virus encyclopedia and browse through the results.

Here is a short paper by ISS called Distributed Denial of Service Attack Tools (PDF File: 53kb). Albeit the paper is quite old by today’s standard (circa March, 2000), it still is nonetheless an excellent resource in learning about some of the most popular DoS/DDoS programs.

Dave Dittrich (Senior Security Engineer and Researcher, University of Washington Center for Information Assurance and Cybersecurity) and the person who coined the phrase Distributed Denial of Service Attacks has done some invaluable work on the analysis of some DoS/DDoS softwares. For anyone who is curious as to how these program operate, these papers and the work done by Mr. Dittrich is an outstanding read, I highly recommend reading his papers.

Here are other websites, etc. that lists some of the tools used in DoS/DDoS attacking

• Advanced Networking Management Lab (ANML) Distributed Denial of Service Attacks(DDoS) Resources

• Riverhead (now part of Cisco): Known DDoS Tools

• PacketStorm Security’s List of Distributed DoS Tools

• Foundstone – List of Stress Testing Tools

• Secguru – Denial of Service

• Solarwinds – WAN Killer

• INFOSYSSEC: Denial of Service Attacks – DDOS, SMURF, FRAGGLE, TRINOO – A must read! (also posted above in How to Stop DoS/DDoS Attacks)

• ISIC — IP Stack Integrity Checker

• AntiServer: Denial of Service Tools

• Microsoft: Stress tools to test your Web server

• Astalavista / New Order List of Tools

Reference Reading

The following resources are highly recommended for reading.

Tags

Dos, ddos, dos attacks, ddos attacks, denial of service attack, distributed denial of service attack, flooding, dns attack, http attack, syn flooding, udp flooding, udp attack, tcp flooding, tcp attack, reflector attacks, http get attacks, packet flooding, dns amplification attack, icmp attack, ping of death, ping attack

Copyrights

©Copyright 2001-2009. All Rights Reserved. Faisal Khan. All other names, trademarks, slogans, service marks are rightful copyrights of their respective owners.

Disclosure

I thought it was just as important to have a disclosure statement here. So here goes. I am the CEO & Founder of Net Access Communication Systems (Private) Limited – A Systems Integration / Managed IP Services company in Karachi, Pakistan. Net Access is an authorized reseller for Arbor Networks. Arbor Networks has in no way and/or manner sponsored this website, directly and/or indirectly.

Updated

This section was last updated on 5th of September 2009.

Disclaimer

If you would like to add anything to this document (perhaps a website you may know of, or a paper you would like to place here, or a presentation, video, or know of a vendor solution not listed here, please email me at mailto:faisal(at)nacspl.com?subject=dos-attacks-website) – please substitute the (at) with an @ symbol.

I’ve included some videos, PDFs, presentations, and other graphics on this page and have given due credit. If you are the author of such content and do not wish for it to be displayed here or would like alterations/corrections made to the credits, simply email me at mailto:faisal(at)nacspl.com?subject=dos-attacks-website – (please substitute the (at) with an @ symbol) and it will be removed. Please do note that I am not a Security Expert nor am I advocating to be one.