How to survive anonymous DDOS attack? [duplicate]

Most mechanisms to identify and mitigate attacks like anonymous attacks are well known, and most Anti-DoS products and services can deal with them with high rates of success. However, sometimes organizations and enterprises do not have a tuned or updated protection policies. Furthermore, I was amazed to discover that many of them do not have Anti-DoS protection at all, neither by product nor by service.

Anonymous usually use well known tools. There is no reason that a local SOC/NOC or service provider's SOC/NOC will not be able to block their attacks. The question is whether detection and blocking are accurate enough without false positives of blocking legitimate traffic as well. As the consequence of that is a successful DoS/DDoS...

In general there are three paths of dealing with DDoS/DoS attacks:

  1. Having enough resources (bandwidth, servers, etc) - not realistic option as attack volume can exceed the bandwidth you have and the cost of having unlimited computation power is huge.
  2. 'Renting' Security Service Provider services - a good solution, depends on the specific provider's capabilities. However, you should note that most MSSP work with scrubbing centres in Out-of-Path mode. This means they rely in many cases on traffic analysis protocols, such as NetFlow, to identify the attacks. While this option works swell with DDoS or large volumetric attack, it cannot identify low and slow attacks. You can overcome this limitation if you are ready to make the call yourself to the MSSP once you detect problems with the traffic yourself. Another limitation of "scrubbing centres" approach is that usually only one direction of the traffic is inspected.
  3. Having your own Anti-DoS solution, installed inline. Though sometimes more expensive, this option will provide you the best security as scanning attempts brute-force attempts and many other security threats can be dealt by an inline device. Inline device is effective as long as the attack's volume doesn't exceed your pipe bandwidth. Working in inline mode guarantees detection of low and slow attack, and even intrusions, depends on the equipment you want to use.

As you can see, there is no clear answer to the question, as it depends on many parameters, budget is only one of them. The quality of the service or product is a significant aspect as well - - Can it generate 'real-time' signatures for accurate mitigation without affecting legitimate traffic? reducing the false-negative ratio? - Does it include a behavioural learning and detection modules? or Does it use only rate-based thresholds? - Does it include authentication options (for HTTP/DNS and other protocols)? again for reducing the chances of false negative. - Does it include an action escalation mechanism, a closed feedback option that can automatically use more aggressive mitigation actions based on the success of the current mitigation action taken? - What is the mitigation rate the service/product can offer, regardless of the legitimate traffic rates. - Does the product include a 24/7 emergency service? (most MSSPs have it, not all products)

Cheers,


It's not true that anonymous always succeed. And there's nothing unique about anonymous - just clever and high-volume attacks.

(Hope anonymous won't target me for saying that :)

From BBC article: Pro-Wikileaks activists abandon Amazon cyber attack:

The group Anonymous had pledged to attack the site (Amazon) at 1600 GMT, but have since changed their plans, saying they did not have the "forces".

The problem is that there's no technique that can make sure that you'll handle DDOS. The only way is to have servers and bandwidth that can handle any possible load and that's plainly expensive.


Traffic Scrubbing services from companies like Verisign, Prolexic and others are the most effective way to protect yourself unless you have the money to spend on a hardware solution like Arbor or Rio Rey.


It depends greatly on the type of traffic that you're serving, but there are a number of ways to mitigate. (I'm going to assume Web sites.) A relatively simple and inexpensive way to solve this is by putting Varnish (or another http cache) in front of your web servers. This will reduce the number of traffic hits that make it to your web and app servers greatly. Also, using a product like HAProxy as a load-balancer can help somewhat by managing the distribution of your http traffic to your servers.

There are DDOS-preventing measures available, but are going to be expensive. I know that if you are using Rackspace for hosting, they have a product offering called Preventier (which I know to be expensive.)

It could also be worth your time to leverage Akamai (or similar CDN) to host your content, which will also solve this problem, but typically has a high dollar-cost.

As in all things, a risk vs reward analysis must be performed, but you must keep in mind that beyond your service availability, you're also essentially paying for your brand's reputation.

NOTE: I say inexpensive for Varnish and HAProxy because, while they are Free/Open-Source, it does have a cost in engineer-hours to implement and support. Note that this is true of any solution, but these have a zero-dollar licensing cost.