The company CTO sighed after looking over his logs. Clearly, his company's Web servers had been the victim of a DDoS (distributed denial of service) attack, and his servers had been able to handle the extra load, but the router that gave him Internet access had not. For six minutes of the 15-minute attack, his Web servers were inaccessible.
Unfortunately, there wasn't much the CTO (we're not going to identify his company for obvious reasons) could do then, and there's not much he can do now. The cleverly designed DDoS attack looked like real traffic, but for that 15-minute period, traffic was orders of magnitude above the usual.
The CTO couldn't do anything because the traffic looked exactly like normal Web request traffic -- the requests came from different IP addresses. But they were all asking for the same page, and it was more than the router could handle.
My first thought when I talked to the CTO was that this was a job for a firewall with the ability to filter out DDoS attacks. These devices use specific fingerprints to tell what constitutes an attack versus what's simply a lot of traffic. But after looking at the logs, the CTO didn't think there was any way to differentiate these requests from legitimate traffic. In his opinion, such a firewall probably wouldn't have worked in this case.
Is he right? Can’t the DDoS detectors in today's firewalls identify such attacks and respond appropriately?
Right now, we don't know for sure because that's one test we haven't performed. These firewalls handle bogus packets just fine, but we haven't tried floods of packets that appear legitimate. When I checked on a couple of firewalls with anti-DDoS capabilities, it wasn't clear that they had a way to handle this particular scenario.
So we'll have to test this capability in our future firewall reviews. But in the meantime, what can you do? Unfortunately, not much. The CTO who told me about the attack is about to implement a new load-balancing approach that he thinks will reduce such a DDoS attack's likelihood of success. But he'll have to wait until the next one to know for sure.
You can take some steps. Monitor the activity on your routers and servers carefully, so that you'll immediately know when a DDoS attack -- or any other kind of attack, for that matter -- begins. A little judicious traffic management might keep your Web site running during an attack, albeit at reduced performance. Maybe you can check the patterns of the traffic and determine where the traffic is coming from.
Unfortunately, none of these are good solutions. Right now, the right kind of attack, planned and executed in a sophisticated manner, can succeed despite all of the cool technology we throw at it. Fortunately, future solutions will likely handle these scenarios. Then the greater challenge begins: finding the technology that will keep you a step ahead of the bad guys.