Technological shifts are changing the way organisations view their information security risk management approach. With increasing use of large bandwidth networks, Denial of Service (DoS) attacks is emerging as one of the most potent threats to corporations. What can be done to mitigate such attacks?

A DOS attach is simply a server-level attack done through the use of malicious Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) traffic.

As the name suggests, a DDoS attack is distributed over a number of different physical locations. These types of attacks are typically launched through computer robots or bots which are exploited computers with Internet connection. These bots are directed by central controllers to execute the tasks assigned, which often include initiating a DDoS attack on a specified target.

You could make your systems robust, but it ultimately lies in the hands of users. Because the traffic originators can’t be easily controlled, a method must be used to mitigate the effect of the attack and gather as much information as possible from it in order to locate the exploited machines and their controllers.

Typically, the methods used to mitigate the attack are black hole routing and Access Control Lists (ACL).

What happens with black hole routing is that the Internet Service Provider (ISP) routes the entire traffic from a given source to a non-existing network, which effectively drops the entire traffic leading to or from the source or destination. In case of a DDoS attack, blocking one source cannot really fix the problem, as there can be thousands of sources on the destination address or network.

The problem with this technique is that it essentially does what the attacker is trying to do by bringing down the target network.

ACLS are configured on the routing equipment which can be used to control traffic movement of a given network element, be it a router or switch (layer-3 enabled) or both.

Now the main problem with these is they are typically static and must be configured during an attack to be successful, but even then the sheer number of sources to be blocked makes them ineffective.

There are a number of solutions out there which have been introduced in order to deal with DDoS attacks.

The two that seem the most popular are DDoS mitigation through anomaly detection and Border Gateway Protocol (BGP) traffic flow filtering.

Anomaly protection looks for signs of a specific attack not just DDoS attacks.

If the system gets a hint that an attack can happen, it automatically reroutes the traffic to a secondary appliance which is used to verify the findings and screen the attack traffic before allowing the valid traffic into the network.

BGP traffic flow filtering is essentially an extension of the black hole and ACL, but with additional intelligence. When a provider notices an attack, it is able to track the attack down to the specific source and destination address or network as well as the specific protocols and ports which are being used. This information is then relayed to the provider of BGP routers, which in turn black holes the traffic with these specific characteristics.

This technology does rely on a large BGP infrastructure which supports traffic flow filtering. The standard developed for this is written in RFC 5575 - Dissemination of Flow Specification Rules.

Ultimately, DDoS protection is a moving target and tracking the best ways of dealing with it will change as the attack types change.

To sum up, these present-day solutions should be able to mitigate a large number of attacks doing rounds today.

Sean Wilkins is a regular contributor at CIOZone.com