Cannot resist denial of service attacks

DDoS attacks on a number of recently launched business and organization websites in Vietnam have caused victims to be frustrated but there is no way to deal with or search for perpetrators. Talk to Roberto Preatoni and Carole Theriault, two famous international security experts, on this issue.

- When did DDoS become a popular attack activity?

Roberto Preatoni is the founder of Zone-H's famous Security Forum (http://www.zone-h.org/) with the nickname SyS64738. He is also the CEO of the security company Domina Security, which operates in many European countries. Preatoni is also a prestigious speaker at many annual international security conferences such as Defcon (USA).

Roberto Preatoni: From the late 90s of the last century. This activity originated when some security experts, in the process of detecting system deficiencies on Windows 98 operating systems, discovered that simply sending a large ping data packet was enough to paralyzes a target server. This discovery is then immediately used by hackers to eliminate the objects they intend to attack. From here, the early form of DoS (Denial of Service) was born. Meanwhile, the DDoS (Distributed Denial of Service) format relies on sending a ping command to a list of multiple servers (this type is called an amplifier, ie amplifying the target width), assuming a ping package. so that the original IP address is disguised as the victim's IP. Servers responding to this ping request will then flood the victim with the answer (answer) called pong.

Carole Theriault is currently a senior security technology advisor with Sophos (UK) security software firm. She is also a prestigious consultant in many forums and magazines about the world security Carole Theriault: DDoS originating from the initial form of DoS. DoS is less dangerous because system administrators can often identify and block host machines that cause problems. Meanwhile, DDoS uses multiple distributed sources to coordinate attack activity on the target. It is difficult to determine which connections are valid and which are hostile.

- How is a normal DDoS attack initiated?

Carole Theriault

Carole Theriault: An access command sent to the server. The server authenticates and then waits for that command to confirm the above authentication before allowing the user's computer to access. In DDoS attacks, the server is flooded by the access commands of a huge number of connections from unrealistic addresses and that means the server cannot find users who have authentic access needs. . When the number of access commands is large, the server is flooded and cannot handle the number of commands it is being requested to resolve. Some types of viruses and network worms have also caused DDoS attacks. The first cases were viruses that distributed large amounts of e-mail, such as Loveletter, Melissa, which flooded mail servers so that servers could not handle legitimate requests. Currently, many Internet worms take advantage of computer errors (for example, the 2004 Sasser virus) to flood Windows-based computers that are defective, making it impossible for PC to download patches.

Roberto Preatoni

Roberto Preatoni: In general, attackers often control a remote computer by exploiting a defect. This computer (which will later become the germ of a network of computers that is restricted to DDoS attacks, called botnets) will be installed with a hidden process to ensure it is always connected in a secret chat room. , where the author ordered it. This computer also seeks to scan on the Internet to find other computers that have vulnerabilities, infect remote control software into them so that all unregistered new machines will join the above chatroom and be ready. receive commands from hackers or participate in searching the Internet for PCs with other errors. Generally, within a few days, this computer network will increase from one to hundreds or thousands of members. By the time this force is strong enough, they will be used at the same time to execute an attack on the target at the discretion of the author. The goal will disappear from the network, ie completely offline. At the same time, all interaction activities on the victim's Internet environment also stop.

- How many DDoS formats have been recorded so far?

Roberto Preatoni: In general, it is possible to group denial of service attacks in the form of HTTP floods (web address attack), Database flood (database attack), and TCP-IP protocol flood (attack protocol). TCP-IP), Bandwidth flood (bandwidth attack), Mail bombing (mail attack), SMS bombing (SMS attack).

Carole Theriault: Specific classification is difficult. Some experts say there are 3 types. Many others think that there are up to 12. The main feature of DDoS is to overload the system, paralyze the service, making it impossible to handle valid transactions. So, in my opinion, DDoS can be seen in the form of Internet Control Message Protocol (ICMP), flooding User Datagram Protocol (UDP), flooding Transmission Control Protocol (TCP), attacking applications via defects. .

- How is DDoS situation on the Internet in recent years?

Roberto Preatoni: The denial-of-service attacks are constantly increasing and increasingly popular among young hackers who enjoy the feeling of conquerors, and are also popular among cyber criminals, Those who like to enjoy the smell of money earned from these activities.

Carole Theriault: It is true that while some DDoS attacks are confusing, many cases are extortion. When e-commerce is growing, businesses have to rely heavily on websites, the risk of them being extorted is also greater whenever the criminal attacks the site and demands money. It is very difficult to know how much this financial loss is because most victims' businesses accept payment and take the case because they themselves do not want to make a loud noise. In the future, attacks like this will continue as long as the ability to make money still exists. Many famous websites in the world like Google, Microsoft have repeatedly been victims of DDoS.

- So what to do to deal with DDoS?

Roberto Preatoni: Can only reduce attack intensity. There is no countermeasure unless your website is hosted (host) on expensive and powerful systems like Akamai. Tightening the management of databases, applications and firewalls can help prevent many denial of service attacks, or at least limit the factors that affect website but not destructive attack.

Carole Theriault: Need to use a protected system, with applications that are regularly patched, set up a reasonable firewall to filter packets and prevent unauthorized third parties from accessing system. Using updated antivirus software is also a good thing to do.

When you are under attack, you can also expand the bandwidth although this is a very expensive solution. In countries with developed IT infrastructure, there are many companies offering this service in an emergency or at peak access hours that need to increase bandwidth.

Another method is to set up a tracking router on the network, detected before a flow of information reaches the website's web servers. This router will filter out incoming packets and ensure that the source IP address of all packets is equal to that company's IP address space and not be tampered with.

However, the best place to prevent a denial-of-service attack is not on the business network, but at the ISP. For example, they can limit the bandwidth of a particular flow of information at any time. Unfortunately, not all ISPs do this. Perhaps it is best for businesses to discuss clearly with ISP about website security issues before signing contracts with them.

Phan Khương