Drowning man with hands above water

Surviving denial-of-service? You need outside help to keep from going under.

Part of GCN's series on DOS attacks.

Denial-of-service attacks have become an increasingly easy way to damage websites and other online resources to attract attention, punish perceived wrongdoing, and even for extortion. The hacktivist collective Anonymous last year turned its Low Orbit Ion Cannons on a number of government Web sites, including those of the Justice Department, FBI and the Copyright Office in a high-profile protest of law enforcement actions and proposed legislation.

More Info

As defenses against network DDOS attacks improve, hackers find a new target

Brute-force denial of service attacks against networks are still the most common, but hackers are increasingly moving toward more efficient attacks on applications. Read more.

How to mitigate and defend against DOS attacks

Treating DOS attacks like a man-made disaster can help agencies determine the proper communication and technical response. Read more.

Checklist for DDOS defense

Most experts agree that you can’t do it all by yourself, but there are steps you can take to help defend yourself against and mitigate Denial-of-Service attacks. Read more.

Since then, both the profile and the volumes of attack traffic have grown.

Denial-of-service attacks -- DOS -- are a horse of a different color in the threat landscape. Because they affect availability rather than data or systems, they often require more of a disaster response than a security incident response. At the same time, the variety of techniques for carrying out DOS attacks complicates defense. In most cases, agencies are going to need outside help to do it right, the professionals advise.

“There is no way you are going to mitigate these attacks from a fixed infrastructure,” said Fran Trentley, senior service line director for Akamai Technologies’ public sector business. “You can’t.”

The problem boils down to scale. With attackers having available greater bandwidth and increasingly powerful tools to launch attacks that can overwhelm agency resources, it can be cost-prohibitive and ineffective to maintain the capabilities — not only in hardware and software but also in manpower and training — needed for in-house defense.

Blocking the attacks requires leveraging on-demand resources of a cloud, said Neal Quinn, chief operating officer at Prolexic Technologies. “Deploying devices onsite is of little value,” he said. “Handling this in the cloud is absolutely important.”

Akamai and Prolexic sell third-party cloud-based services and are hardly objective observers on this issue. But they are not alone. US-CERT agrees that outside assistance is at least helpful, if not absolutely necessary. In its January 2012 alert on the Anonymous distributed denial-of-service attacks, US-CERT noted that service-level agreements with ISPs and hosting providers often include DDOS mitigation services that agencies should know about and take advantage of.

However, enterprises are not entirely helpless on their own. Network and application firewalls can identify and block malicious traffic. And agencies can address application-based DOS attacks that do their dirty work inside servers rather than by bombarding them from the outside with high volumes of traffic.

“Historically, the tools have been up to the job,” said Carlos Morales, vice president of global sales engineering and operations at Arbor Networks.

Although vendors and US-CERT agree there are steps that organizations can and should take to ensure a layered defense against DOS attacks, the cost of maintaining a staff and infrastructure to deal with them completely could outweigh the benefits. When agencies need those defenses, there is a good argument for turning over at least some of the job to specialists who have the resources and capacity to provide an on-demand response.

NEXT: DOS attacks mature, leveraging networking advances

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above