Don’t be distressed by DDoS

by | June 28, 2012

On May 9, Ustream, a service that lets users broadcast live video from a computer or any mobile devices in minutes, faced the largest DDoS attack it has ever experienced. In a statement released that day, Brad Hunstable, CEO of Ustream, said, “This is an actively managed attack of a scale that we have never seen, that continues to change and iterate as we counter.” The attack began at 5:30 a.m. EST and took Ustream down for most of the day, impacting thousands of IP addresses.

Reports of such an aggressive strike by DDoS attackers left any webmaster or web developer responsible for a high-profile site hoping they wouldn’t be next. But don’t let fear keep you offline. The bad news is that a DDoS attack can happen anytime, without warning, and can be devastating to your system. The good news is that there are ways to prepare yourself for an attack should one happen, and ways to manage it if it does.

At the end of the day, a DDoS attack is just another form of a load test on an environment. It isn’t totally off base to say that capacity planning tools are actually a way to legally perform DDoS attacks. But the first step of preparation is knowing what to look for.

We commonly see two types of DDoS attacks: 1) illegal attacks with malicious intent, and 2) social DDoS attacks. The differentiation between the two rests in the intent. If you can’t identify malicious intent, then you could simply be experiencing a social attack. A social attack is when a promotional tactic or other incentive to visit your site has been successful, and in fact, attracted so many users that your site crashed from being over capacity.

In this case, Ustream was undoubtedly the victim of a DDoS attack with malicious intent. Even before the day was over, the company had an idea of who the perpetrator was: a Russian user timing the attacks around the inauguration of Vladimir Putin. But regardless of the cause, both attacks can be overwhelming.

So how can you be prepared for something like a DDoS attack? The easy answer: capacity planning. It’s the most overlooked cornerstone of any defense.

Everybody has a theoretical idea of what they need to do if an attacker should strike, but until you actually run through it, there’s no way of knowing what will work and what won’t. I can tell you that one of the most common issues today in capacity planning is between the front-end web applications and the back-end databases, a discrepancy that can make you vulnerable to an attack.

That being said, the first key to preparing yourself for an attack is to have the right counter measures in place. The second key is knowing how your environment reacts to such a scenario. The best thing to do is to try and replicate an attack in the most controlled environment possible. I recommend enlisting a third-party load testing organization to actually simulate an attack. That way, you can actually understand what the ramifications are, and eliminate the “what-ifs” from your action plan.

At Apica, we have POPs all over the world, so we’re able to essentially stage the load test as if it were an attack. We mimic DDoS attacks in a very controlled environment, enabling our customers to see for themselves what works and why.

But the real question is: How do you prepare for, respond to, and mitigate a DDoS event when it occurs? Do you over provision your resources; engage ISPs to black hole the traffic; or do you hope that your IDS, firewall, or router can filter out the traffic? There are many techniques and strategies used, but usually they’re not tested in advance.

Apica offers a solution called Web Overload, which basically means that we can immediately re-route traffic to these light pages, preserving the integrity of the actual system itself. Mitigating the effects of a DDoS attack is complex and challenging. Technology is improving and more IDS solutions have the capability of identifying DDoS attacks and will cut them off either at the firewall level, or at the edge of the network before it enters into the servers and takes them down. This technique is fairly effective with smaller DDoS attacks but not the larger, more well-known attacks.

The bottom line is that there is an inherent risk in putting anything online. But that doesn’t mean that you should shy away from creating and maintaining a great website or mobile application. Instead, just be sure to take the proper steps to protect that investment and the revenue it generates for your business.

My rule of thumb is that anywhere from five to 10 percent of a company’s budget should be allocated to capacity planning. And trust me, if you ever find yourself in the situation that Hunstable found himself in on May 9, you’ll consider that money well-spent.

Apica Product Team