After my blog of yesterday "Partnering with criminals" in which I recommend that enterprise having a significant portion of their revenue from the internet consider partnering with criminals to protect themselves from a denial of service attack, I received a number of phone calls and emails.
One phone call was from a friend who works with credit unions on the east coast of the US. He told me that recently he has personally witnessed a denial of service attack against a credit union. The attack came from Japan and effectively shut down the credit union for 24 hours. The criminal incentive for the attack was that the criminals emailed out fake notices to the credit union customers letting them know the site was down and then recommending that customers click on a link to confirm their login information. This was then a combined denial of service and a phishing attack. I was told that it was only after Homeland Security got involved that the site was able to recover from the attack 24 hours later.
In a email I received, I was asked that instead of recommending that enterprise's partner with criminals, that I should be telling blog readers steps to take to protect themselves.
I believe that that most medium enterprises are at risk from a distributed denial of service (DDoS) attack because they on their own cannot do that much to thwart a sophisticated recursive denial of service attacks. The answers to stopping or mitigating this form of attack lie further upstream of the victim's servers.
To illustrate this, please refer to the "ICAAN Security and Stability Advisory Committee's SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks", March 2006. This is an excellent document that outlines how a reflective denial of service attack works, followed by specific recommendations on how to mitigate or prevent these attacks.
The document notes that attacks exceeding 7 gigabits per second have been documented. Since this report has been written, I have read that attacks exceeding 12 gigabits per second have been documented.
The report then proceeds to make a number of recommendations. They include:
"Respected security organizations and advisory groups worldwide [1, 18] encourage name
server operators to adopt measures to disable open recursive DNS and to protect their
infrastructures against DDoS attacks. SSAC joins these organizations and makes the
following recommendations:
Recommendation (1): For the long term, SSAC recommends that the most effective
means of mitigating the effects of this and numerous DoS attacks is to adopt source IP
address verification.
Recommendation (2): SSAC specifically recommends that each ROOT and TLD name
server operator should:
i. Document operational policies relating to countermeasures it will implement to
protect its name server infrastructure against attacks that threaten its ability to
offer service, give notice when such measures are implemented, and identify the
actions affected parties must take to have the measures terminated.
ii. Respond faithfully and without undue delay to all questions and complaints about
unanswered traffic, and
iii. Act with haste to restore service to any blocked IP address if the owner of that IP
address can demonstrate that it has secured its infrastructure against the attack.
Recommendation (3): SSAC recommends that name server operators and Internet
Service Providers consider the possible remedies described in Section 3 of this Advisory.
In particular, SSAC urges name server operators and ISPs to disable open recursion on
name servers from external sources and only accept DNS queries from trusted sources to
assist in reducing amplification vectors for DNS DDoS attacks."
The report specifically makes a number of recommendations for ISP and name service operators including:
* Source address validation as per BCP 38 and RFC 2827
* Securely configure DNS servers
* Disabling open recursive DNS
* Implement blocking and filtering
The challenge is that most enterprises are not their own ISP. So, while there are some things enterprises can do, such as reducing their own recursive servers and having their own internal DNS separate from their outside DNS server, these will not stop a DDoS attack.
Enterprises who are concerned with this type of attack must work very closely with their ISP provider and DNS and network providers upstream of the ISP. Enterprises such as Microsoft, the US Federal Government and large commercial banks have done this to mitigate the risk of a DDoS attack.
My point is that most enterprises do not have control of the upstream infrastructure under their control and are therefore at very high risk of a DDoS attack. Further, the size of the attacks are capable of brining down much of the upstream infrastructure with it. The threat to a business that relies upon the internet for a significant portion of its revenues means that if the enterprise cannot influence their ISP and the other providers upstream of their ISP, that there is not many other alternatives other than partnering with criminals to wave a bigger stick over the attackers heads than the few weak limbs the enterprise currently has in its hands.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us