4

Every time the anonymous group targets a website, they are able to take it down.. even for large corporates / governments with professional.

I read (basic theory) about dealing with normal DDOS attack, with DDOS protection techniques.

But why do these techniques fail in case of Anonymous group attacks?

Is there any success stories about surviving through a really good organized DDOS attack?

Yousf
  • 229
  • 1
  • 5
  • 13

6 Answers6

6

It's not true that anonymous always succeed. And there's nothing unique about anonymous - just clever and high-volume attacks.

(Hope anonymous won't target me for saying that :)

From BBC article: Pro-Wikileaks activists abandon Amazon cyber attack:

The group Anonymous had pledged to attack the site (Amazon) at 1600 GMT, but have since changed their plans, saying they did not have the "forces".

The problem is that there's no technique that can make sure that you'll handle DDOS. The only way is to have servers and bandwidth that can handle any possible load and that's plainly expensive.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
5

Most mechanisms to identify and mitigate attacks like anonymous attacks are well known, and most Anti-DoS products and services can deal with them with high rates of success. However, sometimes organizations and enterprises do not have a tuned or updated protection policies. Furthermore, I was amazed to discover that many of them do not have Anti-DoS protection at all, neither by product nor by service.

Anonymous usually use well known tools. There is no reason that a local SOC/NOC or service provider's SOC/NOC will not be able to block their attacks. The question is whether detection and blocking are accurate enough without false positives of blocking legitimate traffic as well. As the consequence of that is a successful DoS/DDoS...

In general there are three paths of dealing with DDoS/DoS attacks:

  1. Having enough resources (bandwidth, servers, etc) - not realistic option as attack volume can exceed the bandwidth you have and the cost of having unlimited computation power is huge.
  2. 'Renting' Security Service Provider services - a good solution, depends on the specific provider's capabilities. However, you should note that most MSSP work with scrubbing centres in Out-of-Path mode. This means they rely in many cases on traffic analysis protocols, such as NetFlow, to identify the attacks. While this option works swell with DDoS or large volumetric attack, it cannot identify low and slow attacks. You can overcome this limitation if you are ready to make the call yourself to the MSSP once you detect problems with the traffic yourself. Another limitation of "scrubbing centres" approach is that usually only one direction of the traffic is inspected.
  3. Having your own Anti-DoS solution, installed inline. Though sometimes more expensive, this option will provide you the best security as scanning attempts brute-force attempts and many other security threats can be dealt by an inline device. Inline device is effective as long as the attack's volume doesn't exceed your pipe bandwidth. Working in inline mode guarantees detection of low and slow attack, and even intrusions, depends on the equipment you want to use.

As you can see, there is no clear answer to the question, as it depends on many parameters, budget is only one of them. The quality of the service or product is a significant aspect as well - - Can it generate 'real-time' signatures for accurate mitigation without affecting legitimate traffic? reducing the false-negative ratio? - Does it include a behavioural learning and detection modules? or Does it use only rate-based thresholds? - Does it include authentication options (for HTTP/DNS and other protocols)? again for reducing the chances of false negative. - Does it include an action escalation mechanism, a closed feedback option that can automatically use more aggressive mitigation actions based on the success of the current mitigation action taken? - What is the mitigation rate the service/product can offer, regardless of the legitimate traffic rates. - Does the product include a 24/7 emergency service? (most MSSPs have it, not all products)

Cheers,

Ziv Ichilov
  • 66
  • 1
1

Traffic Scrubbing services from companies like Verisign, Prolexic and others are the most effective way to protect yourself unless you have the money to spend on a hardware solution like Arbor or Rio Rey.

cdmaniac
  • 11
  • 1
1

It depends greatly on the type of traffic that you're serving, but there are a number of ways to mitigate. (I'm going to assume Web sites.) A relatively simple and inexpensive way to solve this is by putting Varnish (or another http cache) in front of your web servers. This will reduce the number of traffic hits that make it to your web and app servers greatly. Also, using a product like HAProxy as a load-balancer can help somewhat by managing the distribution of your http traffic to your servers.

There are DDOS-preventing measures available, but are going to be expensive. I know that if you are using Rackspace for hosting, they have a product offering called Preventier (which I know to be expensive.)

It could also be worth your time to leverage Akamai (or similar CDN) to host your content, which will also solve this problem, but typically has a high dollar-cost.

As in all things, a risk vs reward analysis must be performed, but you must keep in mind that beyond your service availability, you're also essentially paying for your brand's reputation.

NOTE: I say inexpensive for Varnish and HAProxy because, while they are Free/Open-Source, it does have a cost in engineer-hours to implement and support. Note that this is true of any solution, but these have a zero-dollar licensing cost.

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • well it seems that preventing it will cost more than the attack itself.. Most probably I will just shutdown the server until they change their mind :D – Yousf Nov 08 '11 at 18:55
  • That's not uncommon, sadly, but I highly recommend running your sites behind Varnish anyway. Caching is good. – gWaldo Nov 08 '11 at 21:24
0

Well, it's very difficult. That's the whole point of ddos. You have one million PC computers sending request to your website at the same time. What is it the firewall should do?

Most important bit would to keep the traffic out of your system. Dunno where you have your servers but if keep your servers at your office you should get a limiting firewall at your ISP's place. this would keep the traffic away from your limited incoming cable.

If the limiting factor is the web server you can set up a linux computer before the web server to do filtering based on the source IP address. Allow only certain number of IPs to access the web server at one time and as soon as the transfer is over block the IP and give the slot to next requester. This way your server never exceeds it's capacity.

Using Squid accelerator here would be great help. This cuts down the concurrent number of connections and processes and frees the web server resources faster in addition to caching static content.

Antti Rytsölä
  • 651
  • 4
  • 9
-3

You cannot limit yourself to one group of attackers. Most groups including the Anonymous group would use a BotNet. This would come from a large range of IP's so you cannot just ban that range.

The only way to minimise (NOT STOP as this is near imposable) is to keep on-top of your security. So updates are maintained, your firewall is checked for vulnerabilities. Security is a very specialised subject and shouldn’t be dismissed. You need to be starting at your firewall and making sure every device / connection is secure. And also that users are educated about security and not to get Malware etc on their PC’s (They could be used to DDOS someone else)

Zapto
  • 1,824
  • 6
  • 23
  • 39
  • I don't think security has much to do with DDOS. A secure system doesn't help much with a giant wall of traffic flowing in – TheLQ Nov 11 '11 at 17:45