This is a post that is following up on a previous article I wrote last week called “My first DDoS Experience.” I wrote the post while the company I work for was still in the middle of a relentless SYN flood attack. A Cisco ASA 5510 firewall was installed running software version 7.1(2), and didn’t do much to fight off the attack. Now I wish I had hands on experience configuring such a firewall but I don’t, and wasn’t able to be present when it was configured. The impression was that the firewall had the capabilities to stop an attack like this, but it wasn’t able to do much for us after being put into place.
After the firewall didn’t do as much as hoped, we had to manually find out what domain was being targeted by the attacker and stop hosting it from our server. We did this by making many different IP’s on the server and distribute the domains across all the IP’s, then follow which IP the traffic was being funneled to. Eventually we narrowed it down to 5 domains and made an IP for each domain, and found the culprit and removed it. That was the end of it for us, but I learned a new technique for weeding out a targeted domain name (if I ever encounter such a thing again). What I am more interested in, is preventing such attacks, and a commenter on my original blog pointed me to a great resource for such.
If you are interested in DDoS prevention and network behavioral analysis, then you must check out the material on www.intruguard.com. They offer network behavioral analysis solutions for larger companies and go into great detail on how their products operate. For smaller companies, a solution like this might be overkill if you already have an intrusion detection system in place. I do realize that could be a bold statement though, because you really can never be too safe, and I know that botnets aren’t getting smaller at the moment. I have even heard of botnet armies being reported at up to 50,000 infected machines, wowsers. I think for medium/larger sized companies a network behavioral analysis appliance would be a must as they will be targeted much more. I imagine that very large companies get hit with multiple enormous DDoS attacks daily, and I can guarantee they are using units like the ones offered by IntruGuard. I am also a huge believer in behavioral detection systems of many varieties security wise. I have been using the behavioral anti-virus Threat Fire on my personal computer to supplement my virus definition scanning anti-virus, and have had superb success with it. I think that behavioral detection of many sorts just puts you one step ahead of the attacker.