Expert Reference Series of White Papers

How To Defend Against DDoS Attacks and Strengthen Security Controls

1-800-COURSES www.globalknowledge.com

How To Defend Against DDoS Attacks and Strengthen Security Controls

Michael Gregg

Introduction
There is an old saying that those who fail to learn from the past are doomed to repeat it. I believe this statement is true and that there are some things IT security professionals can learn from the WikiLeaks saga of 2010 and how Distributed Denial of Service (DDoS) was used to attack specific domains. Before I discuss what we can learn from this event, its important to understand what happened.

Background
WikiLeaks is a website that was created by the former Australian hacker, Julian Assange. The purpose of the website, seen in Figure 1, is to expose secret/confidential information. WikiLeaks has hosted information on everything from Sarah Palins Yahoo mail account to climategate. (Climategate was the name given to leaked emails among climate scientists discounting climate change.) During the later months of 2010, WikiLeaks stayed in the news because of its release of huge amounts of confidential U.S. Government documents.

The alleged source of this information is Bradley Manning. According to a computer chat log published in June, 2010, by the Wired News website, Bradley Manning bragged to Adrian Lamo, the former hacker who turned him in, that he was going to unleash worldwide anarchy in CSV format. Among other things, Manning stated in the chat that he would come to work at an Army base outside Baghdad with rewritable CDs, labeled with something like Lady Gaga, and quietly transfer secret U.S. government information to rewriteable CDs.

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

The release of this information can be categorized as a type of cyber attack. Cyber attacks are much different than traditional war. 9/11, Pearl Harbor, and the Tet Offensive were all planned, organized attacks that quickly made the news and could be assessed as far as physical damage and the loss of life. Modern cyber attacks are much different in that they can happen in the blink of an eye, and the damage may not be apparent for many months or even years.

Project Payback
Because of the release of this sensitive information and the jailing of the suspect, the U.S. State Department asked companies to stop doing business with WikiLeaks to restrict their access to funding. Companies such as Visa, MasterCard, and PayPal froze WikiLeaks accounts. Other companies followed suit, stating that servicing WikiLeaks violated their internal policies. While this did restrict WikiLeaks access to funding, it also started a round of DDoS attacks. These attacks were launched by a loose affiliation of hackers known as Anonymous. These hackers targeted companies that had cut off service to WikiLeaks and called the attacks Project Payback. Their stated goal was to exact some vigilante justice against what they believed were the evil, free-speech suppressing corporations such as MasterCard, PayPal, PostFinance.ch, Visa.com, and Amazon.com. What is most interesting is that even though their techniques were low tech, they were somewhat successful at disrupting the services of these companies. Project Payback chose Twitter and IRC channels to communicate, and it used publicly available attack DDoS tools to target their victims. Anonymous instructed its followers to access a specific URL that provided instructions on how to launch the attack and who/what would be the intended targets. An example of this URL can be seen in the figure above. DDoS is a blunt instrument in that it does not give the attacker access to the victims site; it simply disrupts communication. A DDoS attack involves flooding a server with traffic until it becomes overloaded and can no longer function. While a single high-speed DSL or cable connection cannot generate enough traffic to cause a significant disruption to a website, an attack spread over hundreds of connections can cause a spike in traffic that has the potential to slow or shut down a domain that has not implemented good security controls.

Five Things to Learn from the Attack

Now it is time to examine what lessons we can learn from these events. There are five that this white paper addresses, which include: Sensitive information requires strong controls DDoS attacks are easy to launch and hard to defend against
Copyright 2011 Global Knowledge Training LLC. All rights reserved. 3

 DDoS attack tools are widely available Basic controls that can help mitigate DDoS attacks The need for more protection to mitigate DDoS attacks

1. Sensitive Information Requires Strong Controls

One thing that we can learn from these events is that private companies and the U.S. government must do a better job of p rotecting sensitive information. The fact that Pfc. Manning had access to broad-based, high-level information should be a big wake-up call to the Department of Defense (DoD) and every corporation and organization responsible for protecting sensitive data. Sensitive, secret, proprietary, or confidential information must be protected. The best way to accomplish this is through the use of strong data classification controls. Data classification is a useful way to rank an organizations informational assets. The two most common data-classification schemes are military and public. The responsibility for the classification of data falls on the data owner. Individuals at the top of the organizational structure need to take the lead in implementing policies designed to protect this information. There are several ways to accomplish this task. Both military and private data-classification systems accomplish this task by placing information into categories. The first step of this process is to assess the value of the information. When the value is known, it becomes much easier to decide what amount of resources should be used to protect the data. Each level of classification that is established should have specific requirements and procedures. The military and commercial data-classification models have predefined labels and levels. When an organization decides which model to use, it can evaluate data placement by using criteria such as the following: Data value Data age Laws pertaining to data Regulations pertaining to disclosure Replacement cost Regardless of which model is used, the questions below will help determine the proper placement of the information. Who owns the asset? Who controls access rights and privileges? Who approves access rights and privileges? What level of access is granted to the asset? Who currently has access to the asset?

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

The military data-classification system is widely used within the DoD. This system has five levels of classification: Top secret Grave damage if exposed Secret Serious damage if exposed Confidential Disclosure could cause damage Sensitive but unclassified Disclosure should be avoided Unclassified If released, no damage should result Each level represents an increasing level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If an individual holds a confidential clearance, it would mean that he could access unclassified, sensitive, or confidential information for which he has a need to know. His need-to-know would not extend to the secret or top-secret levels. The concept of need-to-know is similar to the principle of least privilege in that employees should have access only to information that they need to know to complete their assigned duties. Public/Private Data Classification is another approach to data classification. The public or commercial data classification is built upon a four-level model: onfidential This is the highest level of sensitivity and disclosure could cause extreme damage to C the company. Private This information is for company use only and its disclosure would damage the company. Sensitive This information requires a greater level of protection to prevent loss of confidentiality. Public This information might not need to be disclosed, but if it is, it shouldnt cause any damage. The number one thing that data classification does is to force an organization to examine its informational assets and place a value on them. Only then can a company start to look at what level of control is needed to protect this information.

2. DDoS Attacks are Easy to Launch

DDoS attacks are easy to launch and hard to defend against. DDoS attacks are also unique in that they dont provide the attacker access to the victims resources; they simply block access to legitimate users. Mitigating denial of service attacks typically requires the expenditure of capital. Some companies dont believe that DDoS attacks can happen to them so they dont see the need to allocate the funds to build sufficient controls. Preventing these attacks is difficult. Several basic techniques are used to defend against DDoS attacks which include increased bandwidth, traceback, and mitigation. The first defensive measure is to maintain large amounts of bandwidth. It is my belief that this technique has only limited ability to defend against an attack. No matter how large the WAN connection, there is always a finite amount of resources and if an attacker can exceed that level, the result is denial of service. At this time, the attack has successfully blocked normal communications.

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

The next approach is traceback. This technique is focused on tracing packets back to the entry points to the domain. Once the entry point is known, the upstream ISP can configure its routers to reject all packets flooding the DDoS target; this results in Internet Control Message Protocol (ICMP) type 3 destination unreachable messages being returned to the upstream source. The ISP can then identify the next specified router interfaces through which the attack is entering. This process repeats itself as the defender continues to work back toward the attacker, tracing the attack back to the original source. Mitigation is the third approach. I considered this technique a more proactive defense. Mitigation makes use of a traffic cleaning center that operates at peering points on the Internet. The traffic cleaning nodes operate as scrubbers and only redirect clean valid traffic to the companys web servers. Symantec, Verisign, and others offer these services.

3. The Tools Attackers Use are Widely Available

Years ago, it would have been safe to say that someone that attacked a network had a high level of skill in networking and programming. For example, an attacker would have had to write his own tool and compile it before launching an attack. This is no longer true. Today, most tools are widely available. Any number of websites offer executable hacking tools. There are Linux distributions that provide bootable CDs with everything that is needed to hack a network. As an example, the DDoS tool used to attack MasterCard, PayPal, PostFinance.ch, Visa.com, and others was Low Orbit Ion Cannon (LOIC). This tool is readily available and can be downloaded for Linux and Windows computers (see figure above). Its low-tech in that it simply floods a site with traffic, yet when combined with others using the same tool, can generate enough traffic to potentially disrupt normal communications. For a security administrator, an important item to note is that the ease of use of these tools means that it is easy for anyone to launch a DDoS attack. This is something that all Internet-based businesses should consider and plan for during the risk assessment process. Finally, while these tools are easy to use, many, such as LOIC, make no attempt to hide the IP address of the attacker. This means these individuals can be traced back for prosecution; the Netherlands did trace back and arrested a 16-year-old and a 19-year-old and charged them with being involved in Operation Payback.

4. Some Basic Controls Can Help Mitigate the Attack

While many preventive controls have a considerable cost, there are some basic solutions that offer some protection. While these suggestions wont prevent a DDoS attack, they can reduce the effectiveness of an attack and

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

make it harder for an attacker to hide his true identity. The basic control to which I am referencing is ingress and egress filtering. Filtering is the act of examining the source and destination IP addresses at key locations like firewalls and border routers, looking at things that should never happen. Heres an example using the 128.6.68.0 address. If this is your internal address, you should never get an IP packet from the Internet with that source address in that range. The only way such a packet could arrive would be if it were forged, so dropping it is the right thing to do. Oh well, it could never be replied to, so why bother processing it. A similar example is for traffic leaving a network. To use 128.6.68.0, again, no packet should ever arrive at your network exit points (firewall, proxy, or border router) that does not have a valid 128.6.68.0 network address as its source. Since many worms, Trojans, and DDoS tools forge the source address, this is another packet that should be logged, investigated, and then dropped. With this rule in place, DDoS attacks such as Tribal Flood, Trinoo, Code Red, Blaster, and others would have been much harder to launch and execute because they all contain software that uses spoofed IP addresses. Just a few simple rules could have prevented much of the damage these programs have caused. By applying these techniques, you, too, can gain some basic protection.

5. Modern Networks Require Greater Protection

High-speed, always-on computer networks play a significant role in our economy and connect us to the rest of the world. Such connectivity has changed the rules. Information is no longer locked in a safe guarded by physical controls. Its in databases, folders, hard drives, and even in the cloud. The proliferation of access means security architects must build in layered security. This brings us to our final tip, defense in depth and the use of controls that include administrative, technical, and physical controls. Administrative controls are composed of the policies, procedures, guidelines, and baselines an organization develops. Administrative controls also include policies that define and detail basic incident response. The incident response policy should address: What steps are to be taken to verify an attack? What steps are to be taken to halt or mitigate an attack? What escalation steps are to be taken should an attack persist? What steps are to be taken to trace an attacker. What steps are to be taken if attacker/attackers is/are identified? Technical controls are the logical mechanisms used to control access, authenticate users, identify unusual activity, and restrict unauthorized access. Some of the technical controls that can be used to reduce the effects of DDoS include: Ingress/Egress filtering Mitigation Traceback Specialized tools to defend against DDoS

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

Physical controls are the third category of controls that can be used to mitigate DDoS and the control of information. When discussing DDoS, its common to think in terms of a network attack, but the truth is that DDoS can also be the result of physical attacks. For example, if a hacker can gain physical access, he may be able to disrupt, alter, or destroy equipment. Just by gaining access to a router, a hacker could change the routing table and disable or redirect your network traffic. Other examples of physical controls used to protect an organizations assets include: Gates Guards Fences Locks CCTV systems Turnstiles Mantraps

Conclusion
We live in a world that is much different than just a few years ago. Today, secret and sensitive information may no longer be locked in a safe. In todays world, a large amount of sensitive and secret information can be found in databases and fileservers connected to the Internet. A companys sales may demand that they maintain a presence on the Internet and downtime of only a few minutes may result in the loss of thousands of dollars. The business environment of the 21st century requires that companies build stronger IT security controls and implement true security. Companies must consider the cost of a DDoS attack before it happens and implement controls to mitigate an attack should it occur. The cost of not doing so may result in the business failing, loss of life, and more.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge course(s): Cybersecurity Foundations Certified Ethical Hacker Security+ Prep Course For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs and exercises offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 1,200 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and business training needs.

About the Author

Michael Gregg has 20 years of information security experience. He is the CTO of Superior Solutions, Inc., a Houston-based IT security consulting and auditing firm. He has led security risk assessments and established

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

security programs within top corporations and government agencies. Michael is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. He holds two associate degrees, a bachelor degree, and a master degree. Some of the certifications he holds include CISA, CISSP, CISM, MCSE, CTT+, CGEIT, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP. In addition to his experience performing security assessments, he has authored or coauthored more than 10 books including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), Build Your Own Network Security Lab (Wiley), and Hack the Stack (Syngress). Michael has created more than 15 security-related courses and training classes for various companies and universities.

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

Copyright 2011 Global Knowledge Training LLC. All rights reserved.

10