Below are 5 different security controls to reduce the risk of a standard DoS attack against an Internet facing system.
IDS / IPS
Intrusion Detection and Prevention Systems are methods for detecting DoS attacks. Deploying these systems at strategic points in the network, an IDS can perform TCP resets of suspicious connections and an IPS can help prevent compromises by dropping traffic. These systems are meant to detect and prevent malicious traffic, but perhaps the best use of an IDS/IPS is simply by monitoring the logs and alerts generated by them as early warning signs of malicious traffic on the network.
Black Hole Routing
Black hole routing is a technique for manipulating the data flow in a network where incoming or outgoing traffic is quietly dropped. In the context of DoS attacks, whenever malicious traffic is detected, it can be steered away so that all of the junk traffic is dropped into a “black hole” in the network. The downside of using black hole routing is similar to the way antibiotic kills both good and bad bacteria – all traffic will be impacted (and disrupted). That being said, blackholing traffic directed at it’s targeted site could protect the larger network from a large scale DoS attack.
Load balancing technologies help spread the processing requirements for incoming connections across multiple servers. As the technology advanced, load balancing switches have gotten better at inspecting traffic in order to make informed load balancing decisions. These can act as the first line of defense in a DoS attack by rerouting live traffic from one server to another, which helps reduce the attack surface and eliminate single points of failure.
Connection Limits and Timeouts
Limiting connections and enforcing timeouts in a network can effectively thwart DoS attacks by dropping connections that are nonresponsive. By configuring connection limits and timeout values based on common connection statistics, it is possible to drop DoS connections while still allowing legitimate connections through.
Web Application Firewall (WAF)
WAF technology identifies how an application works and analyzes the types of requests and inputs for those requests to the underlying application. By working alongside the underlying technology, a WAF discerns what “normal” requests and inputs ought to look like, making it an extremely powerful tool in identifying many different types of attacks. WAF technology may also create device fingerprinting to better identify malicious and non-malicious users and their respective behavior. In short, a WAF will inspect traffic, monitor and filter it, and promptly block any identifiable malicious traffic.
Two additional controls
- Bandwidth – As a sixth option I’d like to include the option of increasing one’s network bandwidth in order to withstand DoS attacks. While it is absolutely necessary to use the above controls as layers of defense against DoS attacks, it will never hurt to increase the network bandwidth as a whole.
- Contact your ISP for help.