Some of our sites are occasionally the target of Distributed Denial-of-Service (DDoS) attacks. What can we do to help ensure critical applications don't suffer performance breakdowns?
Web application performance and potential associated Denial-of-Service (DoS) attacks are complicated issues. Some application issues can be handled by in-house development and IT operation teams, but more sophisticated protections often require the use of specialized hardware and third-party services.
Looking at things that many organizations can handle in-house, you can look for application and infrastructure bottlenecks. These can be caused in situations where attacks can gain a leveraged advantage.
Organizations considering security often downplay or ignore the requirement for availability.
For example, applications processing XML documents that use a Document Object Model (DOM) approach can find themselves in situations where attackers use a comparatively small amount of renewable bandwidth to consume larger amounts of fixed server memory. In addition, attackers can abuse some application logic to limit application access by legitimate users. That said, DDoS attacks are more common and addressing these issues is often beyond the purview of development teams. This means that infrastructure teams or third-party providers must step in to help. Infrastructure like firewalls, switches and routers can be configured to ignore traffic of certain protocols or from certain sources.
In addition, cloud servers can be used to scale up capacity during times of overload. However, applications need to be designed with this type of scaling in mind. Web servers, application servers and database servers must be configured in such a way that adding additional capacity can be done easily. In addition, content distribution networks (CDNs) can be used to cache and serve static content, reducing the load on core servers.
For serious attacks, there are commercial services and dedicated hardware that are now available to help specifically reduce or eliminate the impact of DDoS attacks. These typically analyze network traffic to identify malicious requests and then drop or null-route them. These are typically sourced from hosting providers or as add-on products from CDNs. An advantage to using a cloud-based DDoS provider can be the provider's ability to analyze traffic across a number of different targets and use that threat intelligence to provide for attack detection and traffic shaping.
Organizations considering security often downplay or ignore the requirement for availability and instead focus on confidentiality and integrity. This works well until an application becomes the target of a DDoS attack. Planning for these types of attacks up front allows an organization to already have a network, server and application architecture in place that is ready to undergo the changes required to activate DDoS protections.
Organizations that fail to plan ahead may find that they are forced to make risky changes on the fly while under attack. Making these sorts of changes during DDoS conditions can make it harder to pinpoint errors and lead to longer downtime.
This was first published in February 2014