On December 8, 2010, a group of hackers launched DDoS (distributed denial of service) attacks against the Visa and Paypal web servers and also on a Swedish Government website. The attacks were successful and the services offered by all these sites were severely disrupted. If major corporations, who operate in a multi-national environment, couldn't prevent these attacks can the UK Government stop such an attack on one of its web services?
Well, the simple answer is no, or maybe "probably not." To understand why this could be so we need to consider what a DDoS attack is and how it differs from a DoS (denial of service) attack. Then we can consider what could be done to mitigate it.
Computers are marvelous things that have made work infinitely easier, more interesting and quicker (at least most of us think this). Unfortunately they do have limitations, many of which are hidden to the ordinary user. One of these limitations is the maximum number of simultaneous connections, 65535, that can be made to a Windows based PC/server. This is an interesting limitation as it provides the basis for DoS (denial of service) attacks. If a hacker, or group of hackers, can sustain 65535 concurrent sessions to a server then they will deny that service to anyone else. Generally speaking there are two types of DoS attacks; ones that are intended to crash the system, such as the "ping of death," and ones that are intended to flood the system with requests for resources, such as bandwidth, processor time, disk space, etc.
You can configure your routers not to respond to ping requests or broadcasts or not to forward packets directed to broadcast addresses Additionally modern IP filtering appliances are now smart enough to mitigate these threats by dropping any ping that is greater than 84 bytes, for example, and by only allowing a limited number of simultaneous connections from any single IP address. The second of these things is effective against DoS flood attacks if the limit is set low, say 5 or 6. To generate sufficient resource requests would mean that there would need to be a very high number of hackers involved, more than could be organized in to one group. So, DoS hackers had to find an alternative.
Distributed Denial of Service (DDoS) gets the hackers around this restriction. In a DDoS attack the hackers are not sending the DoS attack from their own PC. Instead they are using a network of PC's on which they have managed to place a "zombie agent" on to allow them to use those PCs to fire off the DDoS attack, known as a botnet. One hacker could be in control of several thousand "zombie agents" each getting 5 or 6 connections to a web server without the PC owner being aware of this. A small group of hackers, acting in concert, could easily deny access for any legitimate user or crash a system. Current IP filtering technology can't prevent these types of attacks so can we do anything?
Well, there are things we could do:
- Catch all the hackers and lock them up.
- Just not going to happen; what about those sponsored by nation states?
- Legislate to ensure that all PC operating systems/applications are completely secure against all infiltration of malware.
- A nice idea but really impracticable. Even if you could do this you can't stop the fool who opens an unsolicited email and double clicks on the attachment with no idea of what it will do. (It installs a Trojan of course).
- Install your web service application on a large number of independent servers based in different parts of the world.
- Each one could still be attacked but the chances of them all going down is slim.
- Install your web service application on a large number of independent servers in one location and then front-end this with an array of load balancing equipment.
- This might be cost prohibitive but if the service that you provide is really important, say for instance the self assessment tax system in the UK, then how much is it worth to the nation for this not to be the subject of a successful attack?
DDoS attacks happen and governments are not immune. In the summer of 2010, the Irish Central Applications Office server was hit by a denial of service attack; in 2009, during the Iranian elections, the official website of the Iranian government was attacked and made inaccessible; in 2001 the Irish Government's Department of Finance server was hit by a DoS attack.
There is no foolproof method to prevent a DDoS attack at present. However, for mission critical web services, you need to do something and sitting on your hands waiting for an attack is not an option.