How to prevent or stop DoS attacks?

application layer firewallThe response and prevention

In order to defend against Denial of Service attacks the combination of attack detection use is typically involved in it, classification of traffic as well as response tools, and the target is to block traffic if identified as illegal and permit the legal traffic only after identifying it. Below is a list of response tools as well as prevention:

Firewalls

The rules of firewalls are quite simple like to permit or not to permit ports, protocols, or IP addresses. There are some DoS attacks that are quite complicated for number of firewalls, for example if an attack occurs on port 80 (web service), it is not easy for the firewalls to differentiate between the bad traffic and the good traffic of DoS attack so the filter packet filter firewalls cannot prevent the attack. In addition, firewalls may be located too deeply in the network. Even before the traffic enters the firewall the affect on routers may take place. However, firewalls can play an effective role in preventing users from the launch of even simple flooding attacks that can occur from the machines behind the firewall.

There are some stateful firewalls, such as OpenBSD’s pf(4) packet filter that can play a role of proxy for connections: the handshake does not simply forward the packet to the desired destination but it validates (with the client). It is even available for other BSDs. In this reference/ context, it is known “synproxy”.

Switches

In majority of switches there is a rate-limit as well as ACL capability. There are some switches that provide system-wide or automatic rate limiting, delayed binding (TCP splicing), shaping the traffic, deep inspection of packet as well as filtering Bogon (false filtering of IP) in order to identify/detect and correct denial of service attacks using automatic rate filtering as well as balancing and WAN Link failover.

These schemes work effectively if it would be possible to prevent DoS attacks with its use. The example is, with the use of delayed binding or TCP splicing one can prevent the SYN flood. In the same way, it is possible to prevent content based DoS with the use of deep packet inspection. All those attacks can be prevented whether they are going to dark addresses or originate from dark addresses with the help of Bogon filtering. If you have set the rate-thresholds correctly then automatic rate filtering can work. In order to make Wan-link failover work it is important that both the links must have DoS/DDoS mechanism of prevention.

Routers

The way switches have some rate-limiting and ACL capability in the same way routers have it too. Even these can be set manually. When under DoS attack majority of the routers can be overwhelmed quite easily. If the addition of rules takes place in order to take flow statistics out of the router when the DoS attacks are going on, they can make the matter complex and further slow it down. There are preventive features in Cisco IOS to control flooding, i.e. example settings.

Application Front End Hardware

The placement of application front end hardware takes place on the network before any traffic reaches the servers and it is considered as an intelligent hardware. Its use on networks can be done in combination with switches and routers. When the data packets enter the system then the application front end hardware is responsible for analyzing data packets, and also to identify them as priority/preference, normal/regular, or dangerous. The number of bandwidth management vendors is greater than 25. The acceleration of hardware is considered as a backbone to management of bandwidth.

IPS based prevention

Intrusion-prevention systems (IPS) are useful or effective only if the attacks have signatures linked with them. However, the pattern among the attacks is to have legal or authentic content but bad intent. Intrusion-prevention systems which are responsible for working on recognizing content cannot obstruct or block the DoS attacks that are behavior-based.

An ASIC based IPS actually serves as circuit breaker in an automatic manner and since it has an ability to analyze the attacks and it also has processing power so it can easily identify and block denial of service attacks.It is must for the rate-based IPS (RBIPS) to granularly analyze the traffic and continuously keep in check the pattern of traffic and to find out if there is traffic anomaly. It must allow the legal or legitimate traffic while the DoS attack traffic must not be allowed.

DDS based defense

The focus of DoS Defense System (DDS) on the problem is greater than IPS as it can block DoS attacks that are connection-based and the ones with legal/ legitimate content but intent is bad. A DDS can deal with both the types of protocol attacks (like Ping of death and Teardrop) as well as rate-based attacks (like SYN floods and ICMP floods).

The well-known Top Layer IPS products like IPS have a purpose-built system that can easily identify and obstruct denial of service attacks at a greater speed than a software that is based system.

Blackholing and sinkholing

With the help of blackholing, the traffic heading to the IP address or attacked DNS is diverted to a “black hole” (non-existent server, null interface, …). ISP can manage things efficiently and it does not affect network connectivity. Sinkholing can route to a valid IP address and can distinguish between the good and bad traffic. For serious or severe attacks Sinkholing is not at all efficient.

Clean pipes

Different methods like tunnels, direct circuits and proxies are used for passing the traffic through a “scrubbing center” or “cleaning center”., which are capable of sorting “bad” traffic (DDoS attacks and many other common internet attacks) and allow the good traffic only to go beyond the server. In order to manage this type of service the provider needs to have central connectivity to the internet unless they are situated within the facility like the “scrubbing center” or “cleaning center”.

The two examples of these service providers include Verisign, Tata Communications and Prolexic.

One Response

  1. shashi December 21, 2015

Leave a Reply