Getting information about “who” is attacking and their motivations behind the attack are why this site was created, with the intent to help administrators and network defenders proactively take action based upon attacks occurring. As shown in trending reports of this site, groups such as Al Qassam Cyber Fighters, Syrian Electronic Army, or Anonymous have been using DDOS as a weapon to bring attention to the cause de jour. A collection of these reports show complex efforts that combine DDOS with account compromise but using traditional SYN and DNS floods that in many cases have used application layer high volume attacks that can be filtered. These seem to point to the use of tools such as Low Orbit Ion Cannon (LOIC) and rent-a-botnet services, like Zeus and SpyEye. This brings us to the two crucial defense points in attacking the Kill Chain for these types of attacks.
1. Tune your filters. Well-written firewall rules can filter out most traffic from DDOS attacks by LOIC and drop packets from suspect IP ‘s. For a list of current suspect botnet servers (see Harvester IPs on the right side of this blog) this site provides from Project Honeypot. Filtering out UDP and ICMP traffic helps to address LOIC attacks in an efficient way but require working with your ISP to address upstream filtering as dropping packets at your gateway only will still clog your bandwidth from your ISP to your gateway.
2. Consider a dedicated DDOS mitigation appliance. Isolate and remediate attacks with this appliance to cope with volumetric and application methods of this type of attack and use syslogs to identify the source. Firewalls and intrusion prevention systems are critical to the mitigation effort, and DDoS security devices provide an additional layer of defense through specialized technologies that identify and block advanced DoS activity in real-time. Administrators can also configure their on-premise solutions to communicate with cloud scrubbing service providers to enable automated route away during attack. Having a scrubbing service or ‘cleaning provider’ to handle large volumetric attacks can maintain sufficient bandwidth to cope with attacks of large size. When faced with DDoS incidents, an organization needs to consider is the option to route their Internet traffic through a dedicated cloud-based scrubbing provider that can remove malicious packets from the stream and clean network traffic so that DDoS packets are stopped in the cloud and regular business as usual traffic is allowed.
Getting specific reporting about raw log data for clues about these attacks is still a challenge, however there are multiple methods that can be used for presenting a harder target to would-be attackers.
No comments:
Post a Comment