Distributed Denial-of-Service attacks of the old already have mitigation steps being practiced by network professionals today. Internet service providers have disabled accepting ICMP echo requests, used ingress filtering for spoofed source address and have limited their opened ports. All of this mitigation affects only the network and transport layer of the OSI protocol stack.

The techniques described above don’t work against bot threats which use a legitimate way in retrieving Internet resources. It does not spoof its source address, it does not send ICMP packets, and it does not use ports other than the HTTP port. The attacks usually originate from a compromised machine with multiple threads or processes that connects to a website simultaneously.

The HTTP port is used by browsers to access a web page and this port sits on the application layer of the OSI protocol stack which does not have any established mitigation steps against DDoS attacks. The application layer is where data have been decapsulated or stripped of its transmission details between machines and protocols.

Flash Crowd Effect

Mitigation steps against HTTP-based DDoS attack varies between internet service providers (ISPs) and network administrators. The reason behind this is because it is hard to distinguish legitimate traffic from an attack coming from a botnet. The botnet DDoS mimics an event that a flash crowd visitor creates.

Bandwidth Over-Provisioning

The obvious solution for this is to have bigger bandwidth to support all the requests; the same way that a hosted website upgrades to a costlier hosting plan as it grows in popularity and generates huge traffic. Instead of upgrading the subscription, there are already commercial anti-DDoS services which provide additional bandwidth in the event of flash crowds.

Clean Pipes Services

Companies serving DDoS defense also have services which involve packet scrubbing. This uses high performance network appliances and computers to inspect packets content and behavior before forwarding the packets to its destination. It hooks the website IP address and catches all the packets in the event of DDoS and inspects them of how they react to responses sent by the defense. If the connecting host is legitimately accessing the site, the packet is then forwarded to the hosting server.

Solutions for the Web Developer

In case the website is hosted via a web-hosting provider, the site owner does not have any access to the network devices to control and filter traffic. For the site owners on the budget, there have been proposed solutions that can be used by their site developers.

It involved the use of a reverse Turing test, which gives a challenge to the connecting hosts. One example of reverse Turing test is the use of CAPTCHA which contains words or sound that humans can easily understand but not computers. When a source IP address tries to access a URL repeatedly within a short time frame, the challenge routine is triggered. If the machine does not reply or incorrectly answers, an HTTP 503 response (Service Unavailable) is always sent to the source IP address until the DDoS subsides. The Service Unavailable response is the cheapest way to send to a connecting host in terms of bandwidth.

Tarpits to Control DDoS Bandwidth

For network administrators that don’t have access to high performance network appliances or services, there’s a passive way to mitigate DDoS and it’s called tarpitting. It is deployed by network administrators in their gateway firewall which is the boundary of their intranet and their ISP.

Tarpitting works by taking advantage of TCP, a protocol which the botnet must follow to send and receive packets. Once the offending source is detected, the victim’s firewall forwards the connection to a tarpitted address. The tarpitted address has its TCP window size set at the minimum. This causes the offending machine to send further data having the same size that it received from the tarpitted address. The result more bandwidth is served to legitimate users.

Tarpits for Retaliation

In normal DDoS attack where an attacker initially sends a synchronization packet (SYN), the victim replies with a synchronization and acknowledgment packet (SYN-ACK) which is completed by the offending machine with an acknowledgment packet (ACK). Completing this three-way handshake is what differentiates this attack from SYN floods which already have defense technology built in routers and operating systems.

In a tarpitted connection, the victim only replies to SYN packets with a SYN-ACK having a zero TCP window size. Without the victim replying to other packets, the attacking machine will have multiple open connections. These connections made by the offending machine will only be closed when time-out is reached or if the attacking machine can’t handle too many open connections causing it to crash – sort of like attacking itself with DoS.

Cooperation is the Key

Security and network professionals agree that the best thing to mitigate, if not eradicate, DDoS attacks is to have cooperation. Information sharing between security and network community will help standardize the best practices how systems and applications interact to process data efficiently. Information from the victim network should be relayed to the ISP nearer to the attacking machine in order to block DDoS packet. Cybercrime laws should be enforced to get the cooperation of ISPs and infected companies’ intranets that send DDoS packets to clean their networks. Until we get this to reality, we just have to accept that DDoS threats from botnets are unstoppable if handled alone.