DDoS attacks are a growing menace due to readily available attack tools, botnets for hire, and lack of adequate protections by many organizations. The motives for attacks include hacktivism, extortion, competitive attacks in online games, and revenge. Common targets are websites and online services. The impacts of DDoS attacks include lost revenue, reputation damage, lost productivity, and recovery costs. Common attack types are volumetric (flooding bandwidth), protocol attacks, and application layer attacks targeting services like HTTP and DNS. Myths around protection include overreliance on firewalls, belief that attacks only happen to others, and that ISPs or software fixes can fully mitigate risks. Effective mitigation techniques involve monitoring, over

1. DDoS : The menace
By Aravind Anbazhagan

2. Outline
● What is DoS/DDoS ?
● Why DDoS is a popular choice ?
● What is the motive behind the attacks ?
● Potential DDoS targets
● Impact of DDoS attack
● Myths in DDoS protection
● DDoS mitigation techniques

5. Why DDoS is a popular choice ?
● DDoS tools are readily available (hping,juno,Trinoo,StachleDraht,LOIC)
● DDOS is being offerd as a service at a low cost
● Botnets are available for hire to launch a DDoS attack
● Many organizations do not apply any form of DDOS protection
● DDOS solutions are not able to detect all types of attacks
● Difficult for Security professionals to traceback the source of the attack
due to spoofed IP address and covert channels
● Organizations rely entirely on ISP for DDOS protection without
considering an on premise solution

6. What is the motive behind DDoS attack ?
● Hacktivism (ideological and political differences) to gain media attention
● Ransom/Extortion
● Take down a competitive player in an online game (host booting)
● Disgruntled customer or former employee
● To divert attention from the real attack or keep the incidence responce
team busy
● Cause loss in revenue
● spoil brand reputation
● Boredom
● Annoyance
● Revenge

7. Potential DDoS targets

8. Impact of DDoS attack
● Loss of revenue
● Organization reputation damage
● E-commerce credibility
● Lost Productivity
● Contractual Violations
● Incident handling and recovery costs
● Disatisfied customers

9. Types Of DDoS attacks
● Volumetric attack (magnitude are measured in bits per second (Bps))
SYN flood
UDP flood
ICMP/Ping flood
● Protocol Attacks (magnitude is measured in Packets per second (PPS))
Ping of death
Smurf attack
Fragmented packet attack
● Application attack (magnitude are measured in Requests per second (Rps))
HTTP Get (Tools : LOIC (Low Orbit Ion Canon),HULK (HTTP Unbearable Load King), Slowloris)
HTTP POST (Tools : RUDY (R-U-Dead-Yet), Tor's Hammer)
DNS flood

10. Myths in DDoS protection
● It only happens for others !
● Firewalls and IDS will protect me from DDoS
● Software fixes can solve DDoS attack issues
● IPTables can stop DDoS attacks
● ISP or Webhost will take care of DDoS attacks
● ACLs on switches/routers can stop DDoS attacks

11. DDoS Mitigation techniques
● Have a incidence response plan ready and know whom to contact.
● Monitor to understand normal network traffic and create a baseline. Feed this info to coreleation engine.
Ex: Cisco Anamony Detector XT and Arbor Peakflow SP.
● Over provisioning : Buying excess bandwidth or redundant network devices to handle any spikes in
demand.
● IP reputation database based blocking : Database contains a list of known or frequest genuine users by
IP address
● Geo IP location based blocking : Blocking IP's based on geographical location
● ACL on border routers
● Implement Load balancers
● Aggressive aging of idle connection from the connection table
● Install patches and harden your systems so that they will not be compromised and added to a botnet
● Change default settings and harden the device by disabling unwanted services and ports.

12. DDoS Mitigation techniques – Cont.
● Implement unicast reverse path forwarding : Stops spoofed IP address by blocking outbound traffic if the
IP address does not belong to the same subnet
● Implement TCP Intercept: Protects against TCP SYN flood attack by replying back on behalf of the
intended destination.
● Implement high capcity Web Application Firewall (WAF) and IPS
● Rate limiting: Control the rate of traffic sent or received by a network interface controller
● Black Holing/null routing with the aid from ISP: Sending all requests to a non-existent server
● Sink holing: Sends all requests to a logger that logs some statistics and then drops the requests
● Use Clean pipes from ISP or cloud based IP scrubbing to defend against volumetric attacks
● Use dedicated and always on DDoS mitigation appliance
● Implement ingress and egress filtering
● Split services on to different hosts.Dont use a single host as a DNS server and also as a Web server
● For home network, contact ISP and request for dynamic IP address or use VPN

13. Thank you
Questions ?