Monday, November 12, 2012

Slashdot post: how to deal with a DDoS attack?

A Slashdot reader posted an article about an attack his company recently suffered. The summary is a criminal from Lebanon contacted him asking for a "fee" not to attack, the company initially said no and was taken offline by a DDoS, the company paid and the attack ceased.

A DDoS is an attacked aimed at exhausting a resource: a compute resource (CPU, Memory, HDD space) or a network resource (Router/Firewall CPU or memory, number of sessions, bandwidth). The most important is to understand what your systems are vulnerable too.

For instance, an attacker could perform a DDoS of an application by requesting abnormally long calculations in a loop, let's say computing pi to the 20 billionth decimals. If the system has at its heart only a single application server, it may be busy processing the request while delaying all the other queries. In the same way, the attacker could also request something that's abnormally large, for example generating a picture that is 10 million per 10 milllion pixels.

The most important is to know what you can act upon and what you can: there are things you can change - the architecture of the applications, the way parameters are validated, if you distribute the front-end load across multiple servers and so forth - and things you can't change: the number of sessions coming from the Internet and the rate at which they come in. For the latter, it is important to understand what your business is, who you are doing business with and what level of degradation/loss of service you accept: an american company may consider that dropping all requests from South America, Africa and Asia is acceptable if this helps maintaining its business with the USA, and thus may negotiate with their provider that upon request, an ACL allowing only the networks assigned to the ARIN and RIPE are to go through. Other companies may find this unacceptable and will have to find other solutions, such as geo-location for the access to the application.