We spoke with Mike Paquette of Top Layer Networks regarding denial-of-service attacks and the threat they pose to enterprise networks. Mike has more than 18 years of networking and security experience with an extensive background in the design and development of networking and security products.
What are the most common types of DoS attacks, and what is the most potent?
There are several types of denial-of-service events. The first is an exploit of a vulnerability that causes a service or server to crash. The second is a flood of traffic that clogs up portions of a network. And the third is a flood of specialized traffic that uses up resources on a service or server and causes it to go really slow.
While any activity that causes a service or server to crash is quite potent, the most common and most damaging attacks are types two and three, since they do not require an underlying vulnerability in a service or server in order to be successful. Even if a system is fully patched, its ability to perform transactions can be negatively impacted or stopped by a type two or type three DoS attack. Type three attacks include methods such as the Ping Flood and the SYN Flood. Denial-of-service attacks that are generated by many computers operating in concert are called distributed denial-of-service (DDoS) attacks.
What kind of impact can a DoS attack have on an enterprise?
In the case of the flood attacks that use up services on a server, the server uses up so much of its memory preparing for communications with the attacker, that it has no more resources left over to carry out transactions. And, therefore, business stops. There are, perhaps, financial losses due to lack of transactions, and there are certainly unhappy customers.
How can a network administrator tell if their organization's network is the source of a DoS attack? How can they stop it?
Security experts recommend both host-based and network-based auditing and protection devices as keys to a good security infrastructure. Monitoring devices such as network analyzers and intrusion-detection systems can detect if your network is the source of an attack. On the host systems, execution of unexpected programs and excessive traffic generation can be detected. On the network, inappropriate patterns of TCP connections can indicate a denial-of-service attack. Intrusion-prevention devices can stop compromised machines on your network from attacking other entities on the Internet.
Can you share any network configuration or device tips to help organizations strengthen their defense against DoS?
Only the simplest DoS attacks can be stopped using traditional security infrastructure elements like firewalls and router ACLs. The best defense you can build into your security infrastructure is an intrusion-prevention system specialized in mitigating DoS and especially DDoS attacks. Scale your network security infrastructure to meet the needs of your Internet connection. Figure out the maximum number of packets per second your Internet connection will allow. Ensure that the first line of defense in your security infrastructure can protect against a type two or type three DoS attacks that use up the entire bandwidth of the link.
Will DoS attacks get stronger and smarter in the future, or will they give way to other kinds of attacks?
In the 2003 CSI/FBI report, denial-of-service attacks had the second highest reported dollar losses of all tracked cyber crimes. Until attack mitigation capabilities are widely deployed in security infrastructures, the denial-of-service attack will remain a persistent part of the cyber threat landscape.