DDOS or DOS Attacks – Can you really prevent them?
Let us face the truth, DDOS or DOS attacks cannot be prevented.
Here is a metaphorical story…
John Doe owned a small restaurant “My Little Hut” which has a serving/seating capacity of 60 people on 9 tables.
Tom Cat used to be a partner in the business with John Doe for a few years but they separated supposedly amicably. Tom held a secret grudge against John, but never showed it. Tom Cat wanted to bring down John Doe’s restaurant business to dust.
Tom Cat being a popular person had many devoted groupies and ordered his 3000 groupies to go “My Little Hut” and stand in line as soon as the restaurant opens, get seated at a table, wait for the server, peruse the menu, spend some time idling & drinking water, and after a while leave without ordering anything.
“My Little Hut”‘s legitimate 30-40 customers were also in this line of 3000 but never got a chance to eat at the restaurant and were denied the service. Denial Of Service accomplished.
How can John Doe mitigate this attack the next time Tom Cat wants to pull the same stunt? Realistically he cannot, but he can try to reduce its impact on the business.
Various methods to mitigate DOS attacks are mentioned on the internet.
The first one is the IP filtering / fencing / fire-walling etc.
Metaphorically, continuing the above example, John had a list his known customer IDs “White List”. He employed security guards and as soon as anyone joined in line, the security guards checked their ID against the “White List” and threw them out of the line if their ID was not in the “white List”. This process of checking against the “White List” took say 15 seconds per ID, so John employed more security guards to handle 3000 in parallel. John kept detailed logs of rejected IDs and created a “Black List”.
This worked for some time and had an undesired side effect; legitimate customers were also thrown out if they forgot to carry the ID, and brand new legitimate customers could not enter. John started a new registration counter where the new legitimate customer registered their Ids in the “White List” and then could join the restaurant waiting line. Once Tom realized this, he gathered more groupies and sent another 3000 to the registration counter, and it became overwhelmed with registration requests. John employed more staff to handle the registration process, and the war went on…
The second method is distributing the load or increasing the bandwidth also called as Service Point / Server over-provisioning / redundancy.
In the above example, John opened a side door, stationed his security guards there, and had already told his legitimate registered customers to use the side door if the regular door was too busy or closed during regular business hours. This too worked only for some time, because Tom started sending his 3000 rogue groupies to the side door. So John borrowed from banks and opened ten new restaurants in the same area, using a common kitchen. John’s customer base remained pretty much the same but his expenses skyrocketed.
—
If, as soon as the 3000 stood in the line of the restaurant or registration line, John could have just shut down the restaurant, but it would have meant that John’s customer could not use the restaurant, and Tom’s DOS attack succeeded.
—
Now, John has hired Sherlock Holmes and Hercule Poirot to figure out who is behind these attacks. He has given them the detailed of logs IDs. Let us see what these two geniuses can infer from the detailed logs.
—
Most of the other methods described in various internet sources are forensics or postmortem analyses; and these are important. Since one cannot really be 100% shielded from a DOS/DDOS attack, strategies and workflows should be established to minimize the impact on business.
External Links:
https://en.wikipedia.org/wiki/Denial-of-service_attack
https://www.cisa.gov/uscert/ncas/tips/ST04-015
https://us.norton.com/internetsecurity-emerging-threats-dos-attacks-explained.html#
One response to “DDOS or DOS Attacks”
Good article