Protection from denial of service attacks

Today, businesses rely on Internet connectivity to communicate, collaborate and conduct various forms of commerce in more and more ways as the global populace embraces the Internet as a mainstream medium. With this growth in Internet usage came a growth in Internet-based businesses, from e-retailers to subscription-based services to information providers to businesses whose business is providing the very connectivity that makes the Internet such a flexible and exciting medium.

Businesses that offer access and connectivity to the Web benefit from the ubiquity of the Internet by reaching new customers regardless of geographic location. They are able to realize economies of scale by provisioning resources to these customers. Simultaneously, providers are faced with a number of additional challenges brought on by opening the “access” door. These common problems that present themselves--like spam, viruses and bandwidth constraints--can negatively affect resource availability, network performance and overall customer satisfaction. These are some of the constant security hurdles that service providers face and work continuously against to deliver quality product to their customers and to remain in operation.

While spam, viruses and bandwidth constraints are common problems for any business in 2004, service providers’ unique reliance on the Internet pushes their negative impacts to extremes. With the spread of the Internet as a mainstream medium, sometimes a more lethal threat enters the equation--a direct cyber attack on a service provider with the intention of destroying a business, its reputation and that of the internal systems and resources that it relies on to exist.

The most common cyber assault is a denial of service attack (DoS). These types of attacks are often fairly simple in nature, but deadly in their abilities. According to the 2003 CSI/FBI Computer Crime and Security Survey, the second most expensive computer crime among survey respondents was denial of service, with a cost of $65,643,300. DoS attacks come in a variety of flavors--SYN Floods, UDP Floods, NB-Gets, ICMP Ping Floods and UDP Fragment Attacks--each with its own unique ability to debilitate a server or network.

The typical hosting service provider has seen firsthand what havoc a direct DoS attack can wreak. Many have automated billing processes and instant access to customer-managed, dedicated servers. Moreover, many service providers have customers that rely on their server capacity for their own businesses, reselling server space to end-users. Through trial and error, most hosting service providers create homegrown systems to successfully protect themselves from attacks. 

But every service provider comes across that day where a new challenge enlightens them that they need better protection: an attack that cripples the business operations. Perhaps it comes from an online message board they host--an explicit threat, like a discontent posting made for the purpose of hurting the service provider. By disrupting the network to try to make customers leave, the threats are aimed at tarnishing the reputation of the service provider. Some service providers dismiss these threats, while others take preventative measures. However, sometimes those postings are really warnings, and soon after the posting, an attack begins, often targeting specific servers that directly impact customers. Many times, these threats and attacks can be handled with proprietary systems already created by service providers internally, but there comes a time where the technical expertise of others in the security field can lend support.

The success of the service provider model lays directly on its ability to provide access to its servers--this access also serves as the critical success factor for the majority of customers that resell server space. When a targeted DoS attack takes down servers, it triggers significant downtime that negatively impacts both revenues and productivity. It is essential for service providers to figure out how to mitigate these DoS and Distributed DoS (DDoS) attacks as well as the future attacks that are sure to grow in complexity and intensity.  

There are a number of technical solutions out there to consider, from hardware to software, broad security suites to niche technologies. However, it is critical to ensure that solution requirements focused on the ability to operate effectively in complex network and perform at very high speeds--common requirements for any hosting provider. The reality is that the majority of vendors aren’t up to the challenge for a variety of reasons, with many of them:

• Offering products that were not built for the purpose of effectively protecting against DoS/DDoS attacks

• Offering products that will not perform at required levels

• Requiring a number of different products to accomplish the task

• Touting performance levels that were far above what their products could realistically do

• Requiring long installations; not understanding or sharing any sense of urgency

It is important to consider network topology when selecting and testing a solution, and place the solution where it is most needed--whether it is protecting internal server farms or on the network perimeter, alleviating stress on service providers’ firewalls.

In the hosting service provider model, the phrase “time is money” is truer than in most industries, so what is needed is a methodical but quick installation of intrusion prevention technology to protect from the network threats that service providers face on a daily basis. With a proper evaluation of test and performance data, on-site product demonstrations, further evaluation and test results validation, service providers can be confident that a solution will work and protect critical online assets from these threats--without negatively impacting network performance.

One example of implementing an intrusion prevention system shows the IPS being implemented inline, behind multiple routers and in front of the key operational servers responsible for customer interactions--the specific targets of the continual attacks. The ability to observe the network in "Monitor Mode" also enabled the service provider to spend time running through various filters prior to turning the product on to "Mitigate" mode. The provider then conducted further testing, including basic throughput observations together with various attack types against both test systems and actual servers. Using probes during these tests to monitor that issues were being addressed and to determine how network traffic was affected was key to the solution’s success in defeating the DoS attacks and returning to normal, optimal network operation.

From the first contact to final installation (see final installation diagram below,) the process took less than 10 days and the service provider is now benefiting from protection against the DoS attacks that caused so much damage and lost revenue.

For Internet service providers, time is money and customers move quickly when they are unsatisfied with their hosting service. With DoS attacks on the rise in 2004, it’s important to ensure proper protection mechanisms. In addition to the right technology solution, it is critical to partner with a vendor that understands and appreciates the uniqueness of each business and has the responsiveness to meet the growing challenge of DoS threats. As a service provider facing a connected world of continuous threats, you don’t have to go through it alone.

Randy Williams is the CTO of EV1Servers and may be reached at randy@ev1.net. Abhay Joshi is the senior director of business development at Top Layer Networks and may be reached at ajoshi@toplayer.com.