Are service providers doing enough to protect against the most common DDoS threats?

By Maya Canetti, Director of Products at Allot Communications.

  • 7 years ago Posted in
In this series of articles, Maya Canetti, Director of Products at Allot Communications explores the most significant types of DDoS attacks and how to mitigate them.

 

The threat of DDoS attacks continues to grow, with Cisco reporting the size of the attacks is already approaching 1.2 Gbps. This could take most service providers offline completely, not to mention destroy their reputation and relationships with customers.

 

Firstly, we turn our attention to SYN Floods. What are the risks to service providers?

 

Cyber security spending is on the rise due to the growth of cybercrime. This is evidenced by the UK government’s attempts to reassure businesses and the public at large by investing ?1.9 billion over five years at the end of last year as part of the national cyber security strategy. But just this month, the FBI issued a warning to businesses about Lizard Squad, who achieved notoriety as a result of their attacks against Microsoft and Sony in the past. While SYN Flooding has been well-known since the mid-1990s, many hackers now use a blended style of threat, utilising more than one type of DDoS attack. As there are as many as 25 types, a blended attack is far more difficult to stop in its tracks.

 

De-mystifying SYN Flooding

 

Understanding SYN Flooding means deciphering what’s known as the TCP three-way handshake.

A healthy TCP three-way handshake consists of the following steps:

1.    The client will request a connection by sending a synchronize message, known as SYN, to the server.

2.    The server than acknowledges the request by sending back to the client a synchronize-acknowledge message, known as SYN-ACK.

3.    The client then responds one last time with their own acknowledgement, known as ACK, and the connection has then been established.

In a SYN Flood attack, the malicious client, often generated by botnets, takes advantage of this procedure. Often using a fake IP, they send SYN messages to the server (i.e. a firewall), requesting a connection from every available port, and repeating the request over and over. The server will respond with SYN-ACK for each one, quickly becoming overloaded, or flooded.

However, the malicious client will not reply with their own ACK, or might not even receive the SYN-ACK at all. While the server waits for the response, the connection is neither open nor closed, giving these attacks the nickname of ‘half open attacks’ – which leave service providers, and their customers, exposed.

Preventative measures

Ensuring protection over multiple layers is the most secure form of defence:

·         Traffic shaping proactively limits the traffic to elements capacity so that they cannot be overwhelmed by DDoS attacks, even the massive ones.

·         Dynamic network anomaly detection with scalable mitigation can block attack traffic in seconds, maintaining supreme QoE.

Due to the fact these strikes often happen without warning, it’s quite likely a communications service provider will be hit before they can work out what has caused the problems. It’s important to get in ahead of the curve to be in the strongest position possible to mitigate the effects of a SYN Flood on your network.

By Terry Storrar, Managing Director at Leaseweb UK.
By Cary Wright, VP of Product Management, Endace.
By Yoram Novick, CEO, Zadara.
By Dave Errington, Cloud Specialist, CSI Ltd.
BY Jon Howes, VP and GM of EMEA at Wasabi.
By Rupert Colbourne, Chief Technology Officer, Orbus Software.