Protective measures against denial-of-service (DoS) attacks

Posted date 26/01/2018

Autor

Alejandro Fernández Castrillo

Denial-of-service attacks are a type of cyber-attack which consists on reducing or cancelling altogether the capacity of servers or other computing resources to provide service. A denial-of-service attack can occur in different scenarios, such as overloading online services by mass request sending or exploiting vulnerabilities of programs or services in order to suspend function totally or partially. In most of such attacks, attackers use a wide range of techniques and tools to hide their identities, which makes it especially challenging to find the culprits.

Such attacks are almost invariably a significant challenge for the attacked party, since not only it prevents potential clients from accessing their services, but also employees may also be denied access service management resources to act on the system and try to thwart the incident or mitigate its consequences.

In order to deter all such risks, as well as the economic losses and loss of reputation it entails for your company, it is important to be prepared for any such incident and take all necessary measures to avoid being a victim of such attacks.

In some cases, such attacks are perpetrated by means of using several source devices, i.e. requests made to target services come from a large number of different devices which may even be geographically separated. This type of attack is called distributed denial-of-service attack (DDoS attack) and is usually carried out with the help of botnets.

In previous publications the main types of DoS attacks were described, as well as how attacks may be classified depending on the OSI model layer which is affected, such as the application layer, or the infrastructure layers, which corresponds to the grouping of transport layer and the network layer in the OSI model.

Undoubtedly, DoS attacks may appear insurmountable due to the fact that they take advantage from countless vulnerabilities in Internet protocols or even make the victims feel helpless when their systems are attacked. However, these attacks may be deterred or buffered by taking a series of control and preventive measures which will allow to prevent damages.

When implementing the relevant measures to prevent DoS attacks, the different vectors which are used to perpetrate such attacks must be considered.

Network protective measures

The first vector where a security layer may be implemented is the network infrastructure, since it is the entrance path to provided services. When online services use a corporate network, one of the first measures that need to be considered is installing a router between this corporate network and the Internet Service Provider (ISP), so that security layers such as an access control list (ACL), which regulates network access based on requesting IP addresses, and/or a firewall, may be easily implemented. Often, this router is provided by the ISP, but this is not always so, or the relevant security measures may not be always implemented. In this case, it is necessary to install an internal additional router in our network, which may be used as a firewall and which allows to implement the necessary security measures.

Besides, if online services are hosted on external hosting servers, VPS or dedicated servers, the protective measures offered by the router and described in the above paragraph must be implemented virtually, that is, as server services, or with the help of the provider set-up panels. Besides, the default preventive measures implemented by the provider throughout their network must be assessed and consulted.

It is also advisable to have sufficient bandwidth, both in your own system and provided by our service provider. This will help to thwart DoS attacks of the ICMP Flood, among others. If it is not possible to increase bandwidth, it is advisable to implement a content delivery network (CDN) since it may be a fairly efficient solution when a large volume of requests are received and services are provided to areas which are geographically apart. A content delivery network or CDN is a network whose servers are located in geographically separated areas and are exact copies of one another. This helps to provide a quick response to web requests, increases capacity of cache memory and reduces system overloading thanks to the resulting total increase of bandwidth. Using a CDN is one of the most efficient measures against large denial-of-service attacks by bandwidth overload.

Another possible measure is to implement a reverse proxy pointing to several servers in our network which are an exact copy of the services we intend to provide. In this way, it is possible to balance the number of requests received by a server by distributing them among other servers with the same functionalities; consequently, this prevents the service from being overloaded. This set-up offers additional advantages, such as providing your website with failover capabilities or a cache memory, which would decrease response times of the service.

It is also possible to run the different services offered by a network from different devices, i.e. use different servers for mail services or web services, the latter being run in a demilitarized zone (DMZ) in your network.

Lastly, if online services are offered only to a specific geographic area, such as a country, measures can be implemented as to only allow requests from this specific area to access the provided services. All requests from IP addresses belonging to other countries shall be considered as potential attackers and blocked. If you fall victim to a distributed denial-of-service attack (DDoS attack), only the botnets in the country to which access is granted may make requests. This may protect your service from being affected, since a botnet is formed by computers from all the world and the botnet members located in the area to which access is granted may be just a few.

Infrastructure protective measures

Another approach is protecting infrastructure, which consist of servers and other network devices, such as routers or switches.

In such devices, it is necessary to verify software status regularly. If software is not automatically updated, the software version on each device must be the most recent version capable of solving any detected security problem or vulnerability. Some DoS attacks are carried out by exploiting device security failures. For this reason, it is important to visit the manufacturer's official website and be up to date to any new releases.

Deactivate all unnecessary server ports when the server is exclusively intended for hosting web services. If this is the case, ports 80/TCP or 8080/TCP for HTTP requests, or 443/TCP for HTTPS requests must be open. If DNS services need to be hosted, ports 53/TCP and/or 53/UDP may be open. Besides, it is advisable to cancel all unused services in order to avoid any potential exploitation of such services.

If Windows servers are used, it is advisable to set up certain registers as SynAttackProtect and other related registers, such as TcpMaxPortsExhausted or TcpMaxHalfOpen which control the TCP/IP in order to prevent SYN Flood attacks. These solutions are designed for Windows, but there are similar solutions for Linux such as SYN-Cookies, SYN-Cache and SYN-Proxy. This type of solutions, due to their processing requirements, is advised to be installed in a separate device from the server which hosts the main service.

When setting up a server to host your website, it is necessary to implement new security measures, such as a firewall. For web servers, it is advisable to implement, besides a regular firewall, a Web Application Firewall, which is specialised in controlling, filtering and monitoring all connections to your website, and blocking them when considered malicious. There are hardware WAFs and software WAFs.

Characteristics of Web Application Firewalls:

This type of firewalls may be installed directly in the server used as such or in any other as long as it is integrated in your network. This choice is important. It must be considered that WAFs consume device processing capabilities, since they must process received requests according to predefined rules before delivering them to the web servers. Therefore, in the event of an attack, if the WAF service fails or is degraded, your website may also fail or be degraded.
There is another manner to use WAFs to ensure networks security, and it is to find a provider which offers remote (cloud) WAFs. Their architecture is designed so that the hired company deploys the WAF in their own servers, and directs and processes web service traffic to their server before redirecting it to your server free of threats. Among others, this service is provided by Akamai, CloudFlare and Sucuri.
Besides blocking denial-of-service (DoS) attacks, WAFs are also capable of detecting and blocking attacks such as Cross-Site Scripting or SQL injection.

The above paragraphs show that sometimes WAFs are a simple, appropriate solution, with the additional benefit that they may be used with a semi-automatic set-up, since this type of service has a basic set-up which is usually enough to protect web services against DoS attacks. In any case, it is advised to define personalised set-up rules in order to adapt the relevant WAF to your infrastructure and therefore to obtain a better level of protection using the potentiality of WAFs to the fullest.

As stated above, a sub-type within denial-of-service attacks are distributed denial-of-service attacks (DDoS), which are generally carried out with the help of botnets. The OSI tool will help you verify whether any of the servers in your network belongs to one of these distributed networks used for criminal purposes which are key to such attacks, and to help avoid being included in an activity whose sole purpose is obtaining money through extortion.

Web applications protective measures

When designing protective measures for web applications, it is important to consider several cybersecurity-related aspects which will increase your system's resilience and therefore your client's trust in your services.

Most times, denial-of-services attacks intended for web applications are not perpetrated by means of overloading the system, saturating the service or eating up all available bandwidth but by exploiting vulnerabilities in your applications. Consequently, the first and foremost security rule is to install any recently released security update as soon as possible and to solve any security problem detected in the application used in your web. If your application has been specifically developed, audits must be conducted in order to identify and solve any security problems.

Besides, it is highly advisable to have a CAPTCHA system on your website forms. These systems will avert any automatized attack which is intended to be carried out through these forms.

In web applications with privacy requirements, that is, in those web applications which directly or indirectly collect personal data it is compulsory to use a TLS protocol in order to ensure confidentiality in data transmission though the web. Even if your website does not use private data, it is nonetheless advisable to consider using TLS, taking into account that an additional computing processing is needed to implement this protocol, and that a request overload may lead to a denial of service in our system. If this is necessary in many services, it is advisable to establish a limit for simultaneous connections which require the use of such protocol.

If you are already under a denial-of-service (DoS) attack on your websites which takes advantage of a vulnerability found in the application, a solution designed not to discontinue service altogether is to set up your system to display a static version of your website, showing basic information such as your telephone number, e-mail address or physical address, so you may be contacted despite the attack, besides some other relevant content which does not need much processing to be displayed.

Etiquetas