2

Cross-posted to Quora

Today several financial institutes in Israel (banks, stock exchange) were DDOSed. They decided to block all foreign IPs as a first aid measure.

While I agree that it was possibly the best thing to do as a first aid measure, I was really surprised it was necessary. Don't banks and large institutes like the Tel Aviv Stock Exchange have "serious enough" DDOS protection?

How much it would cost to implement protection against DDOS attacks? I know there are ranges of possible DDOS attacks, from silling SYN attacks to more serious application level DDOS. I'm interested in how much would it cost to protect against each of these (just trying to understand why it wasn't implemented well in advance in this case).

ripper234
  • 1,126
  • 1
  • 8
  • 11
  • In theory attackers could compromise machines within Israel making the entire block worthless. – narkisr Jan 16 '12 at 22:31
  • @narkisr - not nearly as many machines as they could compromise abroad. Blocking the IP range can significantly reduce the effects of a DDOS. – ripper234 Jan 17 '12 at 10:05
  • See also http://www.quora.com/Why-did-major-Israeli-banks-and-financial-institutes-close-access-to-connections-from-abroad – ripper234 Jan 17 '12 at 10:05
  • 1
    Why do you assume the web applications of banks are particularly high quality? – CodesInChaos Jan 18 '12 at 11:14
  • 1
    @CodeInChaos - I assume they have a relatively high business profile (revenue/transaction volume), and so have a high motivation of both being attacked and protecting against attacks. – ripper234 Jan 18 '12 at 12:01

2 Answers2

4

Protection against DDOS is, on a general basis, pretty much impossible. Normal operation of a server is to handle clients, doing some computation when a request is received. A DDOS is... just that. The difference between the normal situation, and a DDOS, is that the "clients", in the latter case, are not interested in the result returned by the server, since the clients happen to be mindless zombies. "Being interested" is not a concept which lives in the abstract world of computation.

So the strategies for dealing with DDOS are a combination of:

  • Trying to detect zombies based on "usage patterns" (assuming that a zombie involved in a DDOS will behave in a way which is distinctively different from a "normal user" -- this involves quite a lot of faith in Mankind).
  • Having the clients invest some computational effort, such that the server can verify that work has been performed, with much less effort.

The first strategy is a psychological hide&seek between attackers and defenders, and we can expect roughly the same kind of success than for antispam -- i.e. good against amateur attackers, bad against determined attackers. The second strategy is an ongoing research subject but there is nothing widely deployed in existing software. That's one trouble with Web servers: they cannot ask for anything that existing Web browsers do not already know how to do.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I'm not buying it. There are various anti DDOS mechanisms - starting from the network level, and upward to serving captchas to all visitors from certain C class subnets. It's all a function of cost of attack vs cost of defense. Cost to buy hardware, implement security practices, architect your web app correctly, deploy more servers. – ripper234 Jan 16 '12 at 22:19
  • See also http://www.quora.com/DDoS-Distributed-Denial-of-Service/How-do-sites-like-Quora-Facebook-Yelp-handle-DDoS-attacks – ripper234 Jan 16 '12 at 22:22
  • And http://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos In any case, there are ways to defend ... perhaps not "total defense", but then again the attacker is not "the ultimate attacker" as well. – ripper234 Jan 16 '12 at 22:25
2

The cost will vary, but to carry out effective DDoS mitigation isn't a huge investment. As discussed in David's answer over on the question you linked to various providers no offer this service, which is a partnership between the organisation and the mitigation partner or ISP.

As the service uses alternate routes, rapid changing of route tables and multiple points of presence it is more expensive than a single connection, but not dramatically more expensive than other resilience packages.

Standard DoS mitigation is even easier, with most modern routers/switches/firewalls providing protection against SYNFloods etc.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    I don't see any way to effectively mitigate a DDoS apart from getting more/bigger web and application servers, which sounds problematic. A botnet with millions of zombies is hard to distinguish from a million legitimate users. – CodesInChaos Jan 18 '12 at 11:11
  • The commercial DDoS mitigation providers are actually very good at distinguishing botnets from users in most cases by traffic patterns and load. – Rory Alsop Jan 18 '12 at 12:45