Friday, November 27, 2015

How to survive anonymous DDOS attack?




Every time the anonymous group targets a website, they are able to take it down.. even for large corporates / governments with professional.



I read (basic theory) about dealing with normal DDOS attack, with DDOS protection techniques.



But why do these techniques fail in case of Anonymous group attacks?



Is there any success stories about surviving through a really good organized DDOS attack?



Answer



Most mechanisms to identify and mitigate attacks like anonymous attacks are well known, and most Anti-DoS products and services can deal with them with high rates of success.
However, sometimes organizations and enterprises do not have a tuned or updated protection policies. Furthermore, I was amazed to discover that many of them do not have Anti-DoS protection at all, neither by product nor by service.



Anonymous usually use well known tools. There is no reason that a local SOC/NOC or service provider's SOC/NOC will not be able to block their attacks. The question is whether detection and blocking are accurate enough without false positives of blocking legitimate traffic as well. As the consequence of that is a successful DoS/DDoS...



In general there are three paths of dealing with DDoS/DoS attacks:




  1. Having enough resources (bandwidth, servers, etc) - not realistic option as attack volume can exceed the bandwidth you have and the cost of having unlimited computation power is huge.


  2. 'Renting' Security Service Provider services - a good solution, depends on the specific provider's capabilities. However, you should note that most MSSP work with scrubbing centres in Out-of-Path mode. This means they rely in many cases on traffic analysis protocols, such as NetFlow, to identify the attacks. While this option works swell with DDoS or large volumetric attack, it cannot identify low and slow attacks. You can overcome this limitation if you are ready to make the call yourself to the MSSP once you detect problems with the traffic yourself. Another limitation of "scrubbing centres" approach is that usually only one direction of the traffic is inspected.

  3. Having your own Anti-DoS solution, installed inline. Though sometimes more expensive, this option will provide you the best security as scanning attempts brute-force attempts and many other security threats can be dealt by an inline device. Inline device is effective as long as the attack's volume doesn't exceed your pipe bandwidth. Working in inline mode guarantees detection of low and slow attack, and even intrusions, depends on the equipment you want to use.



As you can see, there is no clear answer to the question, as it depends on many parameters, budget is only one of them. The quality of the service or product is a significant aspect as well -
- Can it generate 'real-time' signatures for accurate mitigation without affecting legitimate traffic? reducing the false-negative ratio?
- Does it include a behavioural learning and detection modules? or Does it use only rate-based thresholds?
- Does it include authentication options (for HTTP/DNS and other protocols)? again for reducing the chances of false negative.
- Does it include an action escalation mechanism, a closed feedback option that can automatically use more aggressive mitigation actions based on the success of the current mitigation action taken?
- What is the mitigation rate the service/product can offer, regardless of the legitimate traffic rates.

- Does the product include a 24/7 emergency service? (most MSSPs have it, not all products)



Cheers,


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...