● What is DoS/DDoS ?
● Why DDoS is a popular choice ?
● What is the motive behind the attacks ?
● Potential DDoS targets
● Impact of DDoS attack
● Myths in DDoS protection
● DDoS mitigation techniques
Why DDoS is a popular choice ?
● DDoS tools are readily available (hping,juno,Trinoo,StachleDraht,LOIC)
● DDOS is being offerd as a service at a low cost
● Botnets are available for hire to launch a DDoS attack
● Many organizations do not apply any form of DDOS protection
● DDOS solutions are not able to detect all types of attacks
● Difficult for Security professionals to traceback the source of the attack
due to spoofed IP address and covert channels
● Organizations rely entirely on ISP for DDOS protection without
considering an on premise solution
What is the motive behind DDoS attack ?
● Hacktivism (ideological and political differences) to gain media attention
● Take down a competitive player in an online game (host booting)
● Disgruntled customer or former employee
● To divert attention from the real attack or keep the incidence responce
● Cause loss in revenue
● spoil brand reputation
Impact of DDoS attack
● Loss of revenue
● Organization reputation damage
● E-commerce credibility
● Lost Productivity
● Contractual Violations
● Incident handling and recovery costs
● Disatisfied customers
Types Of DDoS attacks
● Volumetric attack (magnitude are measured in bits per second (Bps))
● Protocol Attacks (magnitude is measured in Packets per second (PPS))
Ping of death
Fragmented packet attack
● Application attack (magnitude are measured in Requests per second (Rps))
HTTP Get (Tools : LOIC (Low Orbit Ion Canon),HULK (HTTP Unbearable Load King), Slowloris)
HTTP POST (Tools : RUDY (R-U-Dead-Yet), Tor's Hammer)
Myths in DDoS protection
● It only happens for others !
● Firewalls and IDS will protect me from DDoS
● Software fixes can solve DDoS attack issues
● IPTables can stop DDoS attacks
● ISP or Webhost will take care of DDoS attacks
● ACLs on switches/routers can stop DDoS attacks
DDoS Mitigation techniques
● Have a incidence response plan ready and know whom to contact.
● Monitor to understand normal network traffic and create a baseline. Feed this info to coreleation engine.
Ex: Cisco Anamony Detector XT and Arbor Peakflow SP.
● Over provisioning : Buying excess bandwidth or redundant network devices to handle any spikes in
● IP reputation database based blocking : Database contains a list of known or frequest genuine users by
● Geo IP location based blocking : Blocking IP's based on geographical location
● ACL on border routers
● Implement Load balancers
● Aggressive aging of idle connection from the connection table
● Install patches and harden your systems so that they will not be compromised and added to a botnet
● Change default settings and harden the device by disabling unwanted services and ports.
DDoS Mitigation techniques – Cont.
● Implement unicast reverse path forwarding : Stops spoofed IP address by blocking outbound traffic if the
IP address does not belong to the same subnet
● Implement TCP Intercept: Protects against TCP SYN flood attack by replying back on behalf of the
● Implement high capcity Web Application Firewall (WAF) and IPS
● Rate limiting: Control the rate of traffic sent or received by a network interface controller
● Black Holing/null routing with the aid from ISP: Sending all requests to a non-existent server
● Sink holing: Sends all requests to a logger that logs some statistics and then drops the requests
● Use Clean pipes from ISP or cloud based IP scrubbing to defend against volumetric attacks
● Use dedicated and always on DDoS mitigation appliance
● Implement ingress and egress filtering
● Split services on to different hosts.Dont use a single host as a DNS server and also as a Web server
● For home network, contact ISP and request for dynamic IP address or use VPN