Palo Alto Networks blog, 16 April 2012: Denial-of-Service (DoS) and Distributed Denial-of-Service Attacks (DDoS) have become an increasingly common problems for enterprises of all sizes. DDoS campaigns are commonly used by hacktivists to embarrass or otherwise disrupt a target company or government agency.
Unfortunately, the problem doesn’t stop there. Botnets controlled by criminal groups can recruit thousands and even millions of infected machines to join in a truly global DDoS attack, enabling the gang to essentially extort a ransom from the target network in exchange for stopping the attack. Regardless of the source, defending a network from these DDoS attacks has become an integral part of any IT threat prevention strategy. While we don’t claim to be an end-to-end solution for stopping DDoS attacks (nothing really is), there are many features in the Palo Alto Networks next-generation firewall that security teams should integrate into their counter-DDoS strategy. Let’s take a quick look at how an overall DDoS strategy could look.
Keep DoS Attacks as Far Away From the Network As Possible
While of course, we tend to focus on the protections that we can provide at Palo Alto Networks, it’s very important to acknowledge that DDoS protection must begin before traffic ever reaches your network. ISPs are increasingly important partners in the fight against DDoS, and they have the ability to keep some DDoS traffic from reaching the intended target. ISPs can monitor Internet links and can filter or blackhole traffic to protect the customer network. Preparing for DDoS really does require looking beyond our own perimeter, and the working with your ISP is a great way to keep DoS traffic as far away from your network as possible.
DDoS Protection Profiles
Of course, DoS attempts will eventually end up on your doorstep, and you will need to repel the attack and protect your assets. This is where the DoS protection profiles in the next-generation firewall are particularly powerful. The DoS profiles allows you to control various types of traffic floods such as SYN floods, UDP, and ICMP floods. You can also set rules for the maximum number of concurrent sessions to ensure that sessions can’t overwhelm resources as well. However, the real power of the DoS protection profiles is the ability to set independent limits on aggregate as well as same-source sessions. As an example, you can set an overall ceiling of SYN packets that should be allowed that applies to all devices protected by a particular rule. Then you can set a much more targeted rule for the total SYN packets that should be allowed going to a specific IP address. You can apply these “classified” rules based on source IP, destination IP, or source-destination pair. By combining aggregate and classified DoS protections you can build in a great deal of protection not only for the network in general but also the critical systems and services that the network can’t live without.
Detection of DDoS Tools
The next step is identify and block DDoS tools used by attackers. Hacktivist groups will often rely on very simple tools or easily distributable scripts which can be used by users with basic computer skills. LOIC (the low-orbit ion cannon) has been a popular tool in various Anonymous projects as well as other hacktivist operations. Palo Alto Networks is able to identify attacks driven by LOIC, Trinoo and others and automatically block their DDoS traffic at the firewall.
Blocking DoS Exploits
The simplest step is to block exploits that can lead to DoS conditions. Palo Alto Networks vulnerability protection profiles provide inline protection from well over 400 different vulnerabilities in both servers and clients that cause a denial of service condition. Defending against these types of vulnerabilities is relatively straight-forward and is likely already a component of your IPS and threat prevention profiles on your Palo Alto Networks devices.
Controlling Botnets to Control DDoS
While its paramount to be prepared for the DDoS against your network, it’s also important to ensure that your network doesn’t contribute to an attack elsewhere. Many DDoS attacks are the work of botnets that leverage an army of infected machines to send traffic to a specific source. Palo Alto Networks provides blocking of malware command-and-control traffic and offers the behavioural botnet report to expose devices in the network that are likely infected by a bot. These efforts will ensure you don’t unwittingly contribute to a DDoS attack.
When it comes to DDoS it is always important to remember that there is will likely never be a single silver bullet. Stopping DDoS attacks require a blend of strong local security controls as well as efforts to mitigate the attack upstream. Using these techniques in coordinated way will help you to build an overall approach to coping with a DDoS attack.