Response to DDoS Attacks
(Updated Feb 17, 2015)
This document contains information on how to react to a distributed denial of service (DDoS) attack. Unfortunately, DDoS attacks have become commonplace on the Internet today. When they occur across a backbone like Internet2, where large bandwidths are available, they can saturate an institution's connection to the backbone.
DDoS attacks occur when a hacker gains control of a number of hosts on the network and directs large volumes of traffic from those hosts to one or more target hosts. Hackers often use "botnets" in such attacks. Botnets are large collections of computers infected by worms or trojans that are taken over and remotely controlled by hackers to send spam, propagate viruses, or launch denial of service attacks. The number of compromised hosts on the Internet can be staggering - in the hundreds of thousands.
When DDoS attacks occur across the Internet2 backbone, the results can be devastating. A DDoS attack focused at a single machine on a campus can easily saturate a gigabit connection - effectively clogging an institution's connection to Internet2.
What can be done if a DDoS attack occurs? There are two phases to solving the problem: the initial phase is to get the site back up by filtering traffic directed at the target hosts and the second phase is to locate and stop the compromised machines sourcing the attack. In some cases, source addresses are spoofed, complicating the location of the compromised source machines.
If the attack has saturated the backbone network connections to the target institution, or congested the border routers, firewall, etc., then traffic filtering must be performed by the upstream network providers. Therefore, the most important action to take is to contact the upstream providers - Internet2 and/or commodity providers depending on the attack sources. In the case of Internet2, contact the Internet2 NOC (firstname.lastname@example.org, 317-278-6622). The Internet2 NOC also provides a method for an institution to automatically initiate upstream filtering (see the section BGP Discard Routing below).
In the second phase, the identification of compromised attack sources and communicating with the source network security contacts can be assisted and coordinated by existing security organizations. One such organization is the
Research and Education Networking Information Sharing and Access Center (email@example.com, 317-274- 7228). The REN-ISAC has information about a variety of security organizations that can help speed the identification of compromised machines. The REN-ISAC also maintains a list of security contacts and ways of contacting them quickly to solve problems.
In summary, the actions to take in case of a DDoS attack are:
- Incident response efforts such as upstream filtering begin by contacting the Internet2 NOC at 317-278-6622, (firstname.lastname@example.org). If appropriate, use BGP discard routing described below to automatically initiate upstream filtering.
- For assistance with notifying security organizations of DDoS sources, contact the REN-ISAC at 317-274-7228, (email@example.com).
BGP Discard Routing
Internet2 Connectors can now advertise routes to Internet2 via BGP for which all traffic to those routes will be discarded by the Internet2 routers. This is useful if there's a DoS attack which consumes a large portion of the link between Internet2 and the Connector because the traffic is dropped before it crosses the link. Here's how it works...
Internet2's BGP policy has always been to allow Connectors to advertise routes which are more specifics of the routes they already advertise; up to and including a /27 mask. Now, if a more specific route is tagged with the BGP Community 11537:911 and the mask length is between /24 and /32, the route advertisement will be accepted and the NEXT-HOP will be set to the discard interface causing all packets destined to that route to be discarded by the Internet2 router(s).
Here are a few important points:
- Discard routes will NOT be accepted for routes larger than a /24.
- There is no way to place a limit on the number of discard routes a Connector can
advertise. The limit on the total number of routes a Connector can advertise is currently 3,000.
- Internet2's default policy is to not accept routes smaller than a /27. There have been some exceptions made to this policy. For those /28 and smaller routes, it will not be possible to announce more specific discard routes.
It's important to understand what can and cannot be done to recover from DDoS attacks. The attacks are possible for two reasons. First, the basic design of the Internet protocols is to place control at the edge. Hosts send traffic whenever they are asked to, at whatever bandwidth is available. That fundamental design approach has lead to the success of the Internet and almost certainly won't change. The second and primary reason for the problem is the number of compromised hosts on the network. This is unlikely to change in the near future.
Unfortunately, the fact remains that hackers have the ability to focus traffic toward target hosts across the network. Organizations, such as financial institutions and large retailers, go to elaborate lengths to avoid and deflect DDoS attacks. The ability to provide the needed infrastructure at the campus level often doesn't exist and is difficult to sustain. That simply means that if hackers want to take a host off the network through a concerted DDoS attack, it can be done, and for long periods of time.