Blog

Prevention and Detection of DDoS Attacks

Question:

• How do Information Security Analyst Detect and Prevent DDoS (Distributed Denial-of-Service) Attacks from Happening to an Organization?

Introduction

Distributed Denial of Service refers to a form of attack in which zombie computers are directly or indirectly used to flood the targeted server (s) victim by an attacker with large amount of information and choke so as to hinder legitimate users from accessing web servers that host companies’ websites (Yan & Yu, 2015). The infected computers are controlled by the attackers, and these attackers prevent users of the affected computers from accessing online accounts, websites, email and other services that are accessible through the affected computer. The number of cases in which attackers flood networks with information has been increasing, with attackers using spam email messages to initiate the attacks on users email accounts. DDoS attacks are being launched from multiple computer sources against a single target, and this is putting organizational data in the risk of cyber-attacks. Until recently, DDoS have become favorite to hackers unlike the traditional denial of service (DoS) which is launched from a single source. Hackers have preferred DDoS because they have a potential to make a huge impact to a company and that they are easy and less costly to launch (IEEE Communications Magazine). The prevalence to use home and laptop computers with high-speed internet connectivity has expanded the possible source of DDoS. To counter DDoS attacks, information security attacks have initiated various strategies of detecting and preventing DDoS attacks from happening to an organization. The paper will discuss upstream blackholing, system hardening, automated mitigation, bandwidth oversubscription, and third-party provider as the main strategies used by system analysts to prevent attacks from happening to organizations. Also, the papers will discuss data distribution to multiple locations and the use of the content delivery network (CDN) as front door to organizational services as system analyst strategies of defending organizations against DDoS attacks.

The concepts of DoS and DDoS

A DoS attack refers to hackers attempt to exhaust resources available to a network in order to prevent the right user from accessing the server. On the other side, a DDoS attack is launched from numerous host sites simultaneously by the hacker to overwhelm and wear out a system from being accessed by the rightful user (Kumar & Selvakumar, 2013). DDoS attackers target online servers and website or network. The signs of a DDoS attack include server crashing and server services being extremely slow.

Research Questions

The main research question that this paper seeks to address is “How do information security analysts detect and prevent DDoS attacks from happening to an organization?”

This question will be answered using four sub-questions namely:

1. What are the different strategic plans that information security analysts use to prevent and detect DDoS attacks?
2. How do information security analysts recognize different DDoS attacks?
3. How do information security analysts monitor bandwidth on an organization’s network?
4. How do information security analysts choose the right mitigation solution that fits the needs of an organization?

Literature Review

Lenny Zeltser, an information security expert builds innovative endpoint defense mechanisms of preventing DDoS attacks from taking place in an organization. In his innovative works, Lenny Zeltser suggests that building security product management, launching of defense solutions such as VP of products, and the training of organizations on the use of digital forensic incident response mechanisms as the best strategies of preventing Zombi attacks to organizational data. In another case; the founder of information security analysts, Alex Hutton suggests various strategies for preventing DDoS attacks in an organization. Different researchers arguments concur that the best defense against DDoS attacks is a strong planned and implemented defense before an organization is in the middle of halting an attack and restoring its agency services (IEEE Communications Magazine). While the defense mechanisms are costly to organizations, the today’s online business environment has forced businesses budget for it is as a cost of running a business on the internet.

Strategy Plans by Information Security Analysts

Third Party Provider

Information security analysts consider the use of third party service provider as a good strategy for detecting and preventing DDoS attacks from happening to an organization. Third party providers provide complete solutions to clients’ data and computer information through the establishment of built-in protection from DDoS attacks. Recently, fairly large organizations have been hit with DDoS attacks and this has made other big companies fear such monster 300 Gbps attacks. Often, information security analysts in these organizations implement a DNS based redirect service and a BGP- based service to hinder DDoS attackers from hacking their systems. However, information security analyst considers CND providers as the best approach to safeguarding organizational data from hacking. Third party provider offers Cloud Flare’s service, and Akamai has been offering these services to different organizations over a long period of time.

Bandwidth Oversubscription

Information security analysts of organizations advice the management on the importance of having more bandwidth available on the company’s web server than what the company requires. Overprovision of bandwidth is perfect strategies that enable information security analysts to prevent DDoS attacks from happening. The strategy is affordable since as companies expand, the bandwidth expenses drop. Generally, organizations with bandwidth oversubscription lease significantly huge capacities than what they need to account for DDoS attacks and growth. Bandwidth oversubscription makes is difficult for a computer attacker/ hacker to muster sufficient traffic to overwhelm his or her hacking making it ineffective for them to undertake a volumetric attack. System analytics highlight that bandwidth overprovision enables the IT experts of a company act before organizational resources are overwhelmed by the attackers.

System Hardening

Information analysts configure both organizational operating system (OS) and other application to enhance resilience on application layer DDoS attacks. They distribute organizational data in multiple locations to reduce any potential risk of DDoS attack. System hardening is a strategy that information analysts consider to be effective in preventing DDoS attacks from occurring to a company. Information analysts state that system hardening ensures enough inodes to companies’ Linux servers and configures an accurate number of Apache worker threads that make it difficult for attackers to track down the companies’ services. Further, the distribution of data to multiple locations in the computer reduces potential hacking activities by the Zombi. Information system analysts recommend system hardening to organizations given their understanding of how costly is for the companies to seek for internet service provider solutions in the event they get hit by an attack. Prevention and Detection of DDoS Attacks

Upstream Blackholing

According to research published by Akamai in 2015, DDoS are becoming increasingly commonplace. In comparison to 2014, DDoS attacks; the 2015 report by Akamai reported a 180 percent increase in the number of DDoS attacks from 2014 cases. As a result, information system analysts recommend upstream blackholing as one of the right strategies for preventing the DDoS attacks from increasing in today’s commonplace. According to the Akamai information analysts, upstream blackholing establishes various ways in which an organization can filter computer traffic using router blackholing. There are instances where companies have no need of receiving UDP traffic (i.e. DNS and NTP) to their computer infrastructure. In such situations, the companies have their transit providers’ blackhole for this traffic. The Akamai experts argue that the biggest DDoS attacks on organizations are mainly reflected DNS or NTP amplification attacks.

Automated Mitigation

Companies running their own servers must be able to identify the times they are attacks. The proper familiarization with the typical inbound profile of a company’s server enables information analysts to establish whether the website problem is associated with DDoS attacks or not. Having known this, automated mitigation is a perfect strategy for mitigating the attack in the event the organization was found unprepared by the DDoS. Alex Hutton, an information security expert states that there are various tools for monitoring net flow data from routers and other sources of data to determine the traffic baseline. In the events these traffic patterns step out of these zones, DDoS mitigation tools attract traffic to them utilizing BGP to filter out the noise. Clean traffic is passed further into the website hence limiting the instances of DDoS attacks from occurring. Generally, the tools detect volumetric attacks and other insidious attacks such as slowloris hence safeguarding organizational information.

How Information Security Analysts Recognize Different DDoS Attacks

Distributed Denial of Service (DDoS) attacks occur in three ways namely:

1. Volumetric attacks: Volumetric attacks are launched to create congestion on the system by exhausting the bandwidth within of the targeted server network
2. Application of layer attacks: Application of layer attacks are the most deadly DDoS hacking activities which target the application or service at layer -7.
3. TCP State-Exhaustion attacks: These attacks try to consumer connection state cables present in most infrastructure components within an organization such as firewalls, load-balancers, and application servers to the extent of damaging capacity of the server.

The understanding of the categories of DDoS attacks by information security analysts enables them to recognize the different DDoS attacks in various ways as explained below:

Cloud Security Provider

Cloud service providers assist information security analyst in recognizing the type of a DDoS attack on an organization. It is very easy for the information analysts to recognize a volumetric attack in the event it occurs since this attack employs simple amplification techniques. However, when it comes to protocol and application attacks, cloud service providers have to be consulted by the information security analysts to help them understand what type of a DDoS attack has occurred to the organization. In the event, an organization feels the impact of a DDoS attack that also affects the ISP provider, the information system analyst contacts ISP provider in order to detect the DDoS attack and classify it appropriately.

Understanding Company Network

Information system analytics must know the network used by the company in detail. The nature of traffics coming to the company’s website needs to be detected and automatically classified by the information analytics as whether volumetric, protocol or application attacks as per the designed company network (Fighting malicious code). As a result, the information system analytics determine the nature of traffic and predict the nature of the attack automatically using the system networks hint hence installing the right securities instantly.

DDoS Response Teams

Companies assign different information security analysts the roles of responding to different DDoS attacks and threats. This provides companies with first-hand information and hints on the type of DDoS attack given the department that report such an instance to the management. These teams are classified into three to handle the three categories of DDoS threats and attacks to the company information (Fighting malicious code). For instance, DNS response of any concern grabs all records that amplify traffic in the system that is projected to cause harm to the company server, such include A, NS, CNAME, and MX and inflate the size of DNS response packets. Prevention and Detection of DDoS Attacks

How Information Security Analysts Monitor Bandwidth on an Organization’s Network

Based on this assignment, the term bandwidth describes the level of traffic and quantity of data transferable between a company’s website, users, and the internet. Information analysts are tasked to monitor organization’s network bandwidth in different tiers of hosting packages. The increased rates of DDoS attacks necessitate the proper monitoring of networks, systems, and connections- and this is the role of information security analysts Yau et al., 2005). To achieve this objective, information security analysts employ various approaches in endeavors to monitor network bandwidth as explained below;

Router

Information security analysts consider routers as the most accurate approach to monitoring network bandwidth. The main reason behind this reasoning is that all organizational on the network connection to the internet via the routers, and this remains the single point in which bandwidth consumption and transfer of data can be effectively monitored and logged by the information security analysts (Principles of information security). Since data monitoring over an extended period of time might be difficult to an organization, depending on third-party router firmware like DD-WRT is recommended.

Use of GlassWire

Information system analysts use GlaaWire to monitor organizational bandwidth for this provides an excellent firewall application for Windows that work more than just blocking any incoming harmful connections. GlassWire amazingly enables system analysts to monitor company bandwidth usage which is measurable by connection regardless of whether incoming or outgoing and enables them to drill down into individual applications thus enabling them to figure out what exactly is consuming the bandwidth (Whitman & Mattord, 2011). Further, GlassWire assists information system analysts to understand the hosts connected to the company’s application as well as the traffic they are exposing the network and system too.

Remote monitoring

Information security experts use remote monitoring (RMON) RFC 1757 in exchanging network-monitoring information and data through the internet in a manner that is easily tracked from the source to the host for security purposes (Subashini & Kavitha, 2011). RMON enables system experts set alarms that effectively monitor the system and network via a given criterion. The system administrator utilizes RMON to effectively monitor and manage local networks and remote sites from one point to eliminate IP traffic as well as detecting and preventing DDoS attacks.

Netflow RFC 3954 for Instant Visibility

Cisco routers introduced Netflow to assist information security experts’ track and collect IP network traffic in its entry to the interface. The proper analysis of data provided by Netflow, system analysts determine the origin and destination of the perceived traffic, the source of congestion and class of service. Netflow application in the monitoring of organizational bandwidth entails Flow Collection, flow caching and data analysis. Information security analysts benefit from many things when they use Netflow packets in monitoring bandwidth consumption. Such benefits include; ability to track the source and destination of the attack, the number of input and output interface, total flow bytes, flow time stamp, port numbers attacked and many others.

Simple Network Monitoring Protocol (SNMP) RFC 1157 for Alert Notifications

Information security analytics use SNMP application layer protocol in managing the performance of the company’s network, detect the DDoS attacks and generate strategies for solving network problems as well as planning for network growth. Information analytics acquire traffic statistics using passive sensors implemented to the end host from the router (IEEE/ACM Transactions on Networking). Network management systems enable the information security experts to execute applications that enable them to effectively monitor and take control of the company’s data from malicious access by hackers.

How Information Security Analysts Choose the Right Mitigation Solution That Fits the Needs of an Organization

It is important for every company to have a security program that detects and prevents its data and information from DDoS attacks. Companies store different data on their websites and systems, such information may include financial data, customers’ confidential information, and product brand information. The increased cases of DDoS attacks on organizations have made the management hire information security analysts to detect and prevent hacking from taking place in their organizations (Osanaiye, Choo, & Dlodlo, 2016). Choosing the right mitigation solution or strategy that fits the need of an organization requires IS analysts to consider the following questions so as to choose a firewall or solution that perfectly suit the network security needs of the organization:

Does it provide DDoS protection?

DDoS attacks occur frequently to both small and large organizations. In October 2016, a DDoS attack on DNS provider Dyn attacked and knocked many websites down for hours. Hackers are attaching a large amount of malware to botnets something which is making DDoS attacks more potent and significant to companies’ networks. DDoS attacks are launched by attackers without any warning, leaving IS experts unaware of such attacks until a bandwidth functioning reduces.

The most exciting thing is that firewalls help information security experts stop DDoS attacks from occurring if paired with an intrusion detection system for this provides a more advanced solution of mitigating the malicious traffic (Yan & Yu, 2015). Given this understanding, information system analytics choose a firewall whose functioning is able to detect and mitigate DDoS attacks in an organization.

Does the firewall send attack alerts?

IS experts choose firewalls that are able to send alerts on servers about any potential DDoS attacks since once such hacking activities occur, it is easy to mitigate their impacts on the organization’s resource. IS pros consider firewall solutions that are able to send alerts to administrators when DDoS attacks occur. Such alerts remind administrators to check router logs and firewalls on a routine basis (Sitaraman et al., 2014). With this knowledge, IS analytics promptly mitigate an attack before the malpractice shuts down the network and company system.

Do you need remote access?

Working remote has been the rage within the IT industry. The information security experts must block employees from remotely accessing the organizational network data since if this right is granted, it presents network security risks to the company. The IS analysts use VPN to enable firewalls to handle mundane (Chang, 2002). While an organization is able to buy a secondary system or a virtual private network (VPN) solution, a hardware firewall solution that is able to integrate VPNs within the organization’s architecture is cost-effective to the company, hence IS experts make this choice.

Conclusion

Hackers have launched new techniques of bringing down organizational server and networking by flooding it with unreal traffic. DDoS attacks are executed using botnets which are zombie machines and servers. In most times, hackers use phishing emails and other techniques to install malware on remote machines. Unlike DoS, DDoS attacks are launched from various hist sites simultaneously by the hacker to overwhelm and wear out a system and derail users access to the system using the server. Information system analytics and administrators detect an active DDoS attack on organizations’ servers when the server crash or its services becomes to slow such that genuine users feel the lag while attempting to access the web service (Skoudis & Zeltser, 2004). Mostly, internet servers, networks, and websites are targeted by the DDoS attackers. However, IT experts have invented various strategies for detecting and preventing DDoS attacks from happening to an organization. Such strategies include third party service provider, bandwidth oversubscription, automated mitigation, system hardening among others. Further, information system analytics effectively monitor DDoS attacks through routers, GlassWire, remote monitoring among other approaches which help in proper preparedness for the DDoS attacks. Finally, DDoS attacks are increasing and are projected to keep increasing in 2018. Therefore, companies need to establish effective firewalls and other strategies that would help them detect, prevent, and mitigate instances of DDoS attacks to safeguard product, company, and customers’ confidential data from unauthorized access to hackers.

References

• Chang, R. K. (2002). Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE communications magazine, 40(10), 42-51.
• Kumar, P. A. R., & Selvakumar, S. (2013). Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems. Computer Communications, 36(3), 303-319.
• Osanaiye, O., Choo, K. K. R., & Dlodlo, M. (2016). Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud DDoS mitigation framework. Journal of Network and Computer Applications, 67, 147-165.
• Sitaraman, R. K., Kasbekar, M., Lichtenstein, W., & Jain, M. (2014). Overlay networks: Anakamai perspective. Advanced Content Delivery, Streaming, and Cloud Services, 51(4), 305-328.
• Skoudis, E., & Zeltser, L. (2004). Malware: Fighting malicious code. Prentice Hall Professional.
• Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), 1-11.
• Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.
• Yan, Q., & Yu, F. R. (2015). Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Communications Magazine, 53(4), 52-59.
• Yau, D. K., Lui, J. C., Liang, F., & Yam, Y. (2005). Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. IEEE/ACM Transactions on Networking, 13(1), 29-42.