Successfully reported this slideshow.

10 ways to stop DDoS attacks


Published on

This presentation gives practical advice on DDoS attack mitigation based on global experience of the author.

  • Be the first to comment

10 ways to stop DDoS attacks

  1. 1. Hemant Jain’s 10 WAYS TO STOP NEW GENERATION OF Distributed Denial of Service (DDoS) Attacks
  2. 2. Key Points to Note <ul><li>You can only stop DDoS attacks after your own perimeter. </li></ul><ul><li>You cannot stop DDoS attacks before your perimeter – unless others are ready to help you. </li></ul><ul><li>Your mitigation is as good as knowledge, tools and techniques you have at your disposal. </li></ul>
  3. 3. <ul><li>Stop spoofed TCP attacks AT YOUR PERIMETER </li></ul><ul><li>SYN floods are the oldest kind of spoofed DDoS attacks, have a way to stop them </li></ul><ul><li>The best mitigation is done in hardware logic although some software firewalls can manage for limited bandwidth attacks. </li></ul>
  4. 4. 2. DON’T lET DARK ADDRESS PACKETS PASS YOUR PERIMETER <ul><li>Dark addresses (bogon) are addresses that are not yet assigned by IANA. </li></ul><ul><li>When hackers use scripts, their random number generation logic does not check for existence of IP addresses in the bogon list and randomly spews out packets. </li></ul><ul><li>Such packets should be immediately blocked. </li></ul>
  5. 5. <ul><li>Why expose unused protocols and ports when you don’t serve them. </li></ul><ul><li>Use your firewall, switch or router or perimeter equipment to block them right away. That will filter out a significant numer of unwanted packets. </li></ul>3. Block unused protocols and ports
  6. 6. 4. Limit number of access per second per source IP <ul><li>When non-spoofed botnets attack your properties, you need to limit the access. </li></ul><ul><li>Easiest rate limit is per source IP. </li></ul><ul><li>You can also rate limit SYN, FIN, ACK, RST packets per second per source IP. </li></ul><ul><li>Your protection mechanism must allow dynamic monitoring of accesses by a reasonably large number of IPs. </li></ul>
  7. 7. 5. Limit number of Concurrent Connections per source IP <ul><li>When non-spoofed botnets attack your properties, you need to limit the access. </li></ul><ul><li>Another limit you can set is concurrent connections per source IP. </li></ul><ul><li>Your protection mechanism must allow dynamic monitoring of a reasonably large number of TCP Connections. </li></ul>
  8. 8. 6. Filter Foreign TCP Packets <ul><li>Scripted DDoS attacks are mostly random. They don’t necessarily follow all the rules of TCP state machines. </li></ul><ul><li>Disable foreign packets which don’t belong to any connections. </li></ul><ul><li>Disable packets that do not fall within TCP windows of existing connections. </li></ul><ul><li>Disable packets that do not follow TCP state transitions correctly. </li></ul>
  9. 9. 7. Do not forward packets with header anomalies <ul><li>Scripted attacks also contain many header anomalies. </li></ul><ul><li>Look for anomalies in Layer 3 (IP), 4 (TCP/UDP etc.), and 7 (HTTP, etc.) headers. </li></ul>
  10. 10. 8. Monitor self similarity in traffic <ul><li>Scripted attacks are written to bombard with you traffic. Most attackers try to change parameters but some parameters remain unchanged across all packets. </li></ul><ul><li>Look for self-similarity in the attack through logs or other mechanisms and block the packets with a common parameter. Examples are TOS value, User Agent, Referer, TCP options etc. </li></ul>
  11. 11. 9. Keep Unwanted guests away <ul><li>When in doubt or under attack, simply block continents or countries or net-blocks where you normally don’t expect traffic from. </li></ul><ul><li>White list your key users if you have issues doing the above alone. </li></ul>
  12. 12. 10. Use specialized DDoS mitigation equipment <ul><li>When all else fails, remember that there are people whose sole focus is on DDoS mitigation. </li></ul>
  13. 13. For More Information <ul><li>IntruGuard is a Leading DDoS Solution vendor. It is globally renowned for its Network Behavior Analysis equipment. </li></ul><ul><li>Contact: IntruGuard </li></ul><ul><li>[email_address] </li></ul><ul><li>+1 408 400 4222 </li></ul><ul><li> </li></ul>