Security in Obscurity

Guide to counter denial-of-service (DoS) and DDoS attacks: Remediate an attack in progress (Part 3)

The methods to counter DoS attacks should include remediating an attack in progress, December 2018

What can you do to counter a denial-of-service attack? There are a number of ways to counter denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. This thought focuses on ways to remediate an attack in progress and is a part of a four part series on countering DoS and DDoS attacks including:

Detection of Compromised Systems
Hardening of Systems to Block Infection
Remediating an Attack In Progress
Offsetting Risk with Cloud Services

Remediate an Attack In Progress

The main focus in responding to DoS attacks typically occurs when you become aware of an attack in progress. A DoS or DDoS attack can cripple a network, leaving in unresponsive to typically network traffic requests. Remediating an attack should be a multi-tiers approach with different controls to help resolve the threat. Below are a few approaches that you can leverage to remediate an attack in progress.

IPS

An intrusion prevention system (IPS) is similar to an intrusion detection system because they are both are designed to identify potential attacks on an environment, whether it be network or host-based. Like an IDS an IPS also utilizes signature-based as well as anomaly-based detection methods to provide accurate diagnostics of potential incidents. Where an IPS stands out from an IDS is once the detection is complete. Intrusion prevention systems can go a step further than detection and also proactively prevent malicious activities from impacting the targeted network or system. [1] As with IDS, intrusion prevention systems are also considered an industry best practice to counter incidents such as a DDoS attack. [2]

An IPS leverages packet filtering to block potential DDoS attacks that have been identified by the detection component of the intrusion prevention system. [1] This proactive approach of an IPS makes the device ideal for countering DoS attacks because the intrusion prevention system can be automated to begin remediation as soon as a potential attack has been detected. An IPS placed inline on a network would allow for a more timely remediate and an overall shorter outage if not remediated immediately.

The challenge with intrusion prevention systems are as they are proactive approaches to responding to DoS and DDoS type attacks, tuning will be required. Automated response can lead to some degree of false-positives. Avoiding stopping legitimate traffic can have the same impact as a DoS attack itself therefore attention should be given to tuning your IPS to reduce the level of false-positives to effectively use the solution.

Firewalls

A firewall is a software program or hardware device that allows for the screening of traffic through a network. [3] Traffic that has been specified by the firewall, through policies on the device, can be blocked and prevented from advancing to a targeted system if it is malicious. [4] Firewalls are placed in between the subject which needs to be protected such as an internal network or a web server and the external traffic.

To provide the ability to block traffic associated with a DDoS attack, an firewall can be placed in between your resources and the internet. This will allow you to block traffic by protocol, coming from the compromised systems, a part of the attack. This approach will therefore allow you to potentially mitigating a DDoS attack. Firewalls are a standard in network security and as pointed out by EC-Council, employing a stateful inspection firewall is a precautionary step to preventing denial-of-service attacks. [5]

Router Configuration

A router is a piece of network equipment leveraged on a network to handle layer three traffic. The router acts as a dispatcher, selecting the best path for the data to travel so that it is received in a timely manner. [6] Routers are a standard network requirement in order to allow machines to communicate with each other and connect to the internet.

By adding and reconfiguring your router inventory, DDoS attacks can be mitigated. Routers use access control lists (ACLs) to filter out bad traffic. This allows routers to protect a network against certain types of DDoS attacks such as ping attacks through filtering unneeded protocols. [7] Routers can also help counter DDoS attacks leveraging systems as reflectors to response to spoofed requests from a denial-of-service target. By blocking router port 179 the router will prevent this traffic from reaching the destination. [5]

---

In summary, there are different approaches to remediating DoS or DDoS attacks in progress. Firewalls, router configuration and an IPS can all play a part in your strategy to responding to a DoS threat. Your response time and success rate will correlate to how these controls have been implemented as well as the tuning involved to ensure that the controls are able to react to a threat when identified.

Note: Parts of this thought were previously used in content I submitted while in Grad School during my Hacking Countermeasures course.

---

Resources Consulted

[1] Tipton, Harold F. & Krause, Micki. (2007). Information security management handbook, sixth edition, volume 1. Buy on Amazon

[2] Scarfone, Karen. and Mell, Peter. (2007, February). Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94. Publication Link

[3] What is a firewall? (n.d.). Article Link

[4] Rouse, Margaret. (2014, November). Firewall. Article Link

[5] EC-Council. (2013). Ethical Hacking and Countermeasures: Threats and Defense Mechanisms, 1e. Buy on Amazon

[6] What is a Network Switch vs. a Router? (n.d.). Article Link

[7] Defeating DDoS attacks. (n.d.). Article Link