DDoS attacks: prevention is better than cure

Security experts have reminded companies worried about denial-of-service attacks that several options are available for those...

Security experts have reminded companies worried about denial-of-service attacks that several options are available for those whose websites become targets.

Last week, the SCO Group's website was hit by a DDoS attack, forcing the company to set up another site.

A DDoS attack typically involves thousands of compromised "zombie" systems sending torrents of useless data or requests for data to targeted servers or networks. 

The SCO attack was launched using systems that had previously been infected by the MyDoom virus, which contained code that instructed thousands of infected computers to access SCO's website at the same time, rendering it inaccessible to legitimate users. 

Stopping the flood of traffic can be very difficult because it is coming from so many sources, said Bruce Schneier, president of Counterpane Internet Security. 

"From a philosophical perspective, if the attacker's pipe is bigger than the defender's pipe, the attacker can always knock out the defender," he added. 

There are several approaches companies can take to prepare for attacks such as this, said Paul Mockapetris, inventor of the internet's core domain name system and chairman of IP address management vendor Nominum.

One is to set aside extra network bandwidth and server processing capacity to withstand sudden surges in traffic. Another is to "retreat from your domain name" and essentially park your website at another address while the attack plays out, like SCO. 

Geographically distributing web servers is another approach worth considering, Schneier said. That way, even if one server or network segment is taken down by an attack, normal traffic can be redirected to other servers. 

But putting in place extra server processing capacity to handle DDoS attacks can be expensive and is likely to make sense only for larger companies, Mockapetris said. "There's a bit of a digital divide when it comes to the ability of companies to defend themselves against these attacks." 

"The long-term answer to DDoS protection has to be in the [service provider] networks and backbones," said Gartner analyst John Pescatore. Upstream service providers are in a better position to detect and choke off traffic directed at a specific IP address, said Schneier. 

Both Gartner and Schneier said service providers should offer some sort of guarantee against DDoS attacks. Gartner has been advocating this for more than two years, urging users to include DDoS protection language in their service-level agreements with ISPs and data centre hosting companies. 

But less than 1% of companies overall are buying such services, Pescatore said. "Most enterprises say, 'It isn't raining, so the roof isn't leaking. Why fix it?' ."

Jaikumar Vijayan writes for Computerworld

Read more on IT risk management