Few words about DDOS(Distributed Denial of service) attack
Most of my friends from IT must be aware of what is a DOS(Denial of Service) attack and about DDOS(Distributed Denial of Service). For those friends who are not this article explains about DOS attacks and this one is about DDOS. Recently I worked on these scenarios and thought of sharing the experiences and some suggestions.
So scenario was that the web servers in a network were under DDOS attack,Admin's of the network and web servers found about the attack from their monitoring system(IPS- Intrusion prevention system) events that detected the attack but could not prevent it.
I had a detailed discussion with admin about the location of the web servers, most of them were in DMZ(De militarized Zone) behind a firewall. Most of the Web servers were behind the IPS device as well. Still they were under attack. Difference between the IPS(Intrusion Prevention Device) and IDS(Intrusion Detection device) is that IPS can take measures to prevent the attack , where as IDS will detect and inform the admins about it, as monitoring mechanism. I thought it was interesting to know that Web servers were behind IPS and were still experiencing DDOS attack.
But explanation is pretty straight forward . IPS devices mostly are either signature based or anomaly(statistical) based or both depending on the manufacturer providing these features. So if IPS devices is signature based, it wont be effective in DDOS attack scenario. On the other hand ,IPS devices that have anomaly based protection, can defend against DDOS attacks.
So the Admin in this case was not sure about the type of IPS they had in place, so they wanted help regarding this on the web servers. Web servers were running on windows server 2008 and above. Guided them that Windows vista/7/2008 and above have built-in protection mechanism for such attacks as explained in this article. There is another nice article that explains a way to find out that attack protection triggers when such a attack is detected ,there is netsh trace command given in the article that will allow you to see that.
For a quick check on their web server I took a netstat -ano output and found as below and compared the total number of TCP connections and the number of syn_received and found the count of these syn_received to be less then hundred and we know that maximum ports available on the server are 65535, so although they were seeing this attack in action but it has not done what it was supposed to do, i.e. denial of service, i.e. making the web server not able to serve on this port yet
---------------------------------------------------------------------------------------------
. TCP mydummyIP:80 attackerdummyIP:port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP:port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP:port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP2: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP2: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP3: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP 3port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP4: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP4: port SYN_RECEIVED PID
. TCP mydummyIP:80 attackerdummyIP5: port SYN_RECEIVED PID
---------------------------------------------------------------------------------------------
Using the netsh command " netsh trace start capture=yes provider=Microsoft-Windows-TCPIP level=0x05 tracefile=TCPIP.etl" I took tracing and then looked through the trace and I could see the attack protection by the OS in place, we could see that web server after receiving such syn packets after some time starts dropping them. But you will also see that for some new request it does respond, which is obvious as it has to judge if its a good user or malicious. Apart from that we ran our internal tools to ensure there were no malware and malicious activity other then the DDOS traffic coming from external sources, which are usually botnets.
Suggestions
Running antimalware(with current and updated signatures) on servers to make sure there is no malware on it. Usually its better and efficient to handle such attacks at the network ,using statistical Anomaly based IPS/IDS devices and firewalls rather then on the servers. In addition to that at network level the scaling up of the network bandwidth would be required to deal with such a situation.
There is another alternative of transferring the Risk of such threats to service providers like Azure and let them deploy these services for you, who have much bigger network bandwidth/pipe and security mechanism in place to deal with such scenarios. This Windows azure network security whitepaper explains it. Azure CDN is another option as well.
Some third party interesting reads
https://www.lifehacker.com.au/2013/04/top-ten-lesser-known-facts-about-windows-azure-security/
https://www.gregthatcher.com/Azure/Ch10\_StopDenialOfServiceOnAzure.aspx
Following is Quote from the Top IR(Incident Response) Expert on this topic,the one and only Neil Carpenter
It's been my opinion that moving to Azure/AWS/Rackspace/etc is the _best_ possible solution. It doesn't matter how much traffic you drop -- a sufficiently motivated attacker can saturate bandwidth on your Internet connection. When they do this, it's not only going to degrade the performance of your website...it's going to degrade the performance of everything that shares that pipe.
You're much better off moving all of the risk and the traffic out to a provider who has the resources to ride out an attack.
If you have a lot of static content, you may also want to consider a CDN like Akamai.