When DDoS Attacks Become Personal

If you were a parent hit by the Hannah Montana scandal, in which scalpers, armed with programs that would buy large numbers of tickets at lightning fast speeds, stole tickets to be resold later, or if you were a baseball fan trying to get your tickets to the World Series games only to be disheartened when you read three horrible words “Internal Server Error” you understand the power of the DDoS.

The DDoS, or DoS (drop the Distributed) if it’s executed by just one person from one computer, is an increasing threat as we do more and more of our commerce online. Attackers also use the DDoS to find other vulnerabilities that only show themselves when servers are under high load.

DDoS attacks can come in two flavors, legitimate and illegitimate. Legitimate DDoS’s happen when many, many users try to access information or a resource on a server at the same time, for instance when tickets first go on sale for a concert. Illegitimate DDoS’s occur when attackers take over the machines of hundreds or thousands of unsuspecting users through the use of Viruses, Worms and spyware. Then when called upon these infected computers can focus their processing cycles, and more importantly, their bandwidth to take down their target.

We know that the scalpers attempting to get at the precious Hannah Montana tickets were using programs specially designed to grab tickets from the servers as quickly as possible, but it’s difficult to say whether or not the ticket servers for the World Series were under an external attack or not. Since this is one of the biggest events of the year, millions of potential buyers is a reasonable number to hit the live servers. What isn’t difficult to say, however, is that there are hackers out there waiting to use this opportunity to steal innocent baseball fans’ personal information.

In the heat of the moment of buying tickets that you know you may have only one chance to buy, people may forget to look for the SSL lock to ensure they’re talking to who they think they are. So this frenzy really opens the user up to some serious phishing and Man in the Middle attack vectors. If users can reasonably expect that they will have more than one chance at these tickets they can take their time on each page and take care to look for signs of phishing. SSL lock, proper URL, etc.

The DDoS is largely an arms race between the hackers that take control over machines through malware and the server administrators trying to keep their machines up and running under the spike in load. It’s is a good way for an attacker to get his foot in the door to find other security vulnerabilities. Much like a friend who has tried hard to get rid of an accent when he speaks, but it creeps back in when he’s tired or stressed, computer systems tend to show serious signs of weaknesses when under a similar type of load.

People are starting to really hold the administrators of these site’s feet to the fire in situations like this, and that’s great because largely the change has to come from their end. The better use of CAPTCHA images is great, but ultimately there needs to be a more sophisticated defense. Application security, while the server is under load, needs to be tested by third party assessors to verify the security of the system and to verify the system is ready for such load.

So what are the fixes for such an attack, malicious or otherwise? Here’s a quick list that can help you to secure your systems against the DDoS:

• Use proper logging systems – Techniques such as log throttling, write only logs, and using log servers can strengthen the retroactive security of a system. After a possible DDoS attack has occurred the company will no doubt want to investigate the attack. An investigation is only possible if the correct level of logging has been used. Too much and the logs will quickly become filled, which could be the reason for the DoS in the first place. Too little and the logs will be worthless because they don’t contain enough information to catch the criminal.
• Redundancy and Load Balancers – It is estimated that Google is able to serve 200 Million requests per day (that’s more than 2,300 requests per second), they do this through redundancy.  Having great load balancers, firewalls and enough redundant servers behind them to deal with the load will help withstand the amount of traffic we all hope to have.
• Security from within – DoS attacks leverage problems with the software that can bring a server to its knees. This type of attack targets infinite loops, buffer overflows, and other crashing bugs in software to stop a server from responding with a single request. Building your software with security and reliability in mind will help to make sure this can’t happen to your software.

• Good Security Audits – a good third party security audit will help make sure that your software can withstand the barrage of request at high load times, but also helps make sure that the server doesn’t show further signs of weakness when load is high, such as not being able to load necessary encryption or logging libraries.

— Joe Basirico