network background popup

Not all network hardware measures up equally

Jun 28th 2010

In the world of DDOS attacks, not all network hardware measures up equally.

What can protect you from any DDOS attack?

Every device deals with packets in certain ways, and has certain limitations based on how it is designed. Most network devices such as switches and routers are able to handle any amount of data within their specifications as long as there is not a lot of CPU or other processor intensive filtering, tagging, or matching, going on. Routers with custom ASIC's, such as a carrier class router, may be able to handle many resource intensive operations, such as ACL matching, while still handling a large amount of traffic.


Servers themselves have known mechanisms for TCP SYN Attacks, Such as what is built into the Linux kernel. TCP SYN cookie protection, or iptables based rate limiting. A single server may not protect you from a DoS attack, Let alone a DDoS attack.

If you have a load balancer this will almost certainly be your weakest link. A 100Mb/sec SYN flood can easily exhaust a load balancer's resources, even if it has several gigabytes of memory. As the session tables fill, the time is ticking until your load balancer will eventually crash. It's important to have mitigation hardware and a firewall in front of the load balancer in order to protect its delicate session table. It needs to keep track of the VIP requests and send back the reply, after having NAT or routed its packets to a real server.

A typical DDoS mitigation device will be an ingress (incoming)/egress (outgoing) filtering setup. With a device such as this in front of your network or load balancer, you can avoid failure, caused by session table over-load. Devices that completely drop identified attack packets, as opposed to ones that send return SYN ACK and ACK are the best choice of overall utilization of network bandwidth. Another advantage that's clear is when your attackers are spoofing their IP addresses in order to attack not only your network with a SYN attack, but the spoofed IP (Other victim or another one of your systems) with ACK replies from your own server, by not replying to these identified attackers, you have now stopped two attacks.

HTTP-GET Attacks.

For the average individual who does not have the ability to monitor many pieces of information involved in this type of attack, it may be next to impossible to stop. There is no way to tell a real customer from an attacker without a behavioral analysis of each attacker.

Your average Microsoft IIS or apache web server can easily become overwhelmed from pure http traffic. Many legitimate websites that have links posted to sites such as slashdot, find out the hard way, that a http-get attack can be very effective in bringing their site down. Load balancers will help with this situation dramatically and they will spread the load evenly on multiple servers, much reducing the chance that the site will be brought to its knees. The more servers you have the more traffic you can handle.

Behavioral analysis via a mitigation device can stop some types of this attack. Attacks such as Slowloris and HTTP-VERB style attacks have a high percentage of fragmented packets and attempt to cause as much CPU load on the servers and network devices as possible using the least amount of bandwidth. These are typically small attacks, with the ability to go undetected until they have already taken an average server or even load balanced server farm down. These can be detected and blocked, but not with the greatest accuracy. Some mitigation devices may end up blocking some legitimate customers, if you take advantage of such a feature, do so with caution or risk many false positives.

Other TCP Attacks

Attack variations made using various orders and combinations of Urgent, ACK, Push, RST, SYN, FIN can have mixed results. This depends on the type of operating system, kernel, or network device firmware. The best thing you can do, on a limited budget is to keep your equipment up to date. In some cases, attackers will spoof your own network or server IP or those of your customers and try to close your connections via RST flood. If an attacker knows or can guess the port you are using their ability to disrupt your connection increases. Some mitigation devices can detect known patterns and block these as part of its behavioral analysis.

Attacks are always evolving and changing. A dedicated security team focused on implementing the latest in attack protection techniques is a must for ensuring you can respond to an attack, with some hope of thwarting it.

Properly protecting your web server or e-commerce site from a DDoS attack is certainly no small undertaking. There is no one solution that can really protect you from all of the types of attacks. At DOSarrest we use a combination of devices, coupled with our proprietary filtering techniques, caching, and policy filtering, enabling us to mitigate any DDoS attack.

Our new DOSarrest Security Services(ISP/NSP) option, Provides on-demand DDoS protection solution for small to large diverse networks, at a fraction of the price, of doing it themselves.

Scott Girbav,

Dosarrest, Senior Network Security Engineer.

Added By : Scott Girbav

DDoS Article Categories