Surviving denial-of-service? You need outside help to keep from going under.
- By William Jackson
- Jan 18, 2013
Part of GCN's series on DOS attacks.
Denial-of-service attacks have become an increasingly easy way to damage websites and other online resources to attract attention, punish perceived wrongdoing, and even for extortion. The hacktivist collective Anonymous last year turned its Low Orbit Ion Cannons on a number of government Web sites, including those of the Justice Department, FBI and the Copyright Office in a high-profile protest of law enforcement actions and proposed legislation.
Since then, both the profile and the volumes of attack traffic have grown.
Denial-of-service attacks -- DOS -- are a horse of a different color in the threat landscape. Because they affect availability rather than data or systems, they often require more of a disaster response than a security incident response. At the same time, the variety of techniques for carrying out DOS attacks complicates defense. In most cases, agencies are going to need outside help to do it right, the professionals advise.
“There is no way you are going to mitigate these attacks from a fixed infrastructure,” said Fran Trentley, senior service line director for Akamai Technologies’ public sector business. “You can’t.”
The problem boils down to scale. With attackers having available greater bandwidth and increasingly powerful tools to launch attacks that can overwhelm agency resources, it can be cost-prohibitive and ineffective to maintain the capabilities — not only in hardware and software but also in manpower and training — needed for in-house defense.
Blocking the attacks requires leveraging on-demand resources of a cloud, said Neal Quinn, chief operating officer at Prolexic Technologies. “Deploying devices onsite is of little value,” he said. “Handling this in the cloud is absolutely important.”
Akamai and Prolexic sell third-party cloud-based services and are hardly objective observers on this issue. But they are not alone. US-CERT agrees that outside assistance is at least helpful, if not absolutely necessary. In its January 2012 alert on the Anonymous distributed denial-of-service attacks, US-CERT noted that service-level agreements with ISPs and hosting providers often include DDOS mitigation services that agencies should know about and take advantage of.
However, enterprises are not entirely helpless on their own. Network and application firewalls can identify and block malicious traffic. And agencies can address application-based DOS attacks that do their dirty work inside servers rather than by bombarding them from the outside with high volumes of traffic.
“Historically, the tools have been up to the job,” said Carlos Morales, vice president of global sales engineering and operations at Arbor Networks.
Although vendors and US-CERT agree there are steps that organizations can and should take to ensure a layered defense against DOS attacks, the cost of maintaining a staff and infrastructure to deal with them completely could outweigh the benefits. When agencies need those defenses, there is a good argument for turning over at least some of the job to specialists who have the resources and capacity to provide an on-demand response.
NEXT: DOS attacks mature, leveraging networking advances