Written by Hauri Virus lab

- What is DDoS?
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.



- What is DDoS agent?
A DDoS agent which is the main body of DDoS attack is usually installed in unsecured normal PCs via hacking or viruses. Most of attackers are from China and they aim at a tarket on good network resources in Korea to obtain lots of DDoS agents.
The most common DDoS agent is to use IRC Bot that controls through IRC (Internet Relay Chat).
However, since IRC traffic has been blocked by network administrators, the hackers try to control the agent through HTTP protocol or P2P protocol. Also, the NetBot Attacker which is a specialized DDoS attack agent has been used.

- Patterns of DDoS attacks

1) UDP/ICMP Flooding
It makes a huge amount of traffic via UDP/ICMP protocol. It aims at takget on obtaining and consuming of the network bandwidth.

2) TCP SYN Flooding
It aims at takget on consuming of web daemon which is being operated in single server. A Web daemon is usually processing multiple visitors and, the resource is limited. If the connection is exceeded by DDoS attack, the resource is consumed all and other visitor can not access to the website.

- How to protect against DDoS attacks

1) Quickly read the pattern of DDoS attack
If there is a DDoS attack, the shortcut to minimize the damage is how quickly you grasp the situation. You must need to monitor the network traffic on realtime and check the running server log to understand about the pattern of DDoS attack. For examples, if it attacks either on whole network or single server, the IP address of attacker, the IP address which is being attacked, which protocol is being used for attack¡¦etc.
Even if the initial attack aimed at single server like a webserver, it can spread out to the whole network if you didn¡¯t cope with the DDoS attack properly.
You can also use FlowScan program (using MRTG and NetFlow data) to monitor the network to effectively analyze the DDoS attack. MRTG can show the information of real traffic usage rate and FlowScan (using NetFlow data) can help you to analyze the IP address being attacked, protocol type, PC location that DDoS agent was installed or other useful information.

2) Use the DDoS security equipment and DDoS security service
If it¡¯s affordable, you must build a security system such as specialized DDoS security equipment or Firewall with wide bandwidth. By the way, you can also use following methods.
Setting parallel firewall is more effective.
Use DDoS security module for Apache webserver
Use the DDoS security service from web hosting provider or DDoS security experts.
Use CDN (Content Delivery Network) service.

3) Effective resource setting
As long as the resource allows, you can extend the maximum number of connections and reduce the timeout interval.
In case of Linux server, you can effectively protect against DDoS attack by kernel level settings. For example, sysctl setting in kernel parameter can extend the routing cache size and reduce the routing cache time. If a DDoS attack is confirmed, you can clear the routing cache immediately to save the time of response.
In case of DNS server, it should be multiply setup. In case of a network, it should be properly diversified via VLAN.

4) Traffic access control
The traffic control through the router and firewall is most effective solution to block DDoS attack.
If you don¡¯t have it, you can build a bridge firewall and operate it after setting iptables policy.
- Limit the connection rates for each sender¡¯s IP address.
- Blackhole routing (Null routing)
- Block overseas traffic
- Filtering the string ex. http://100.100.100.100

5) Security patch and Anti-virus update
A DDoS attack usually comes from the outside but, the infected DDoS agents in the inside of network can also attack to the outside. To install DDoS agents, it aims at tarket on unsecured PCs so, the users must update to the latest security patches and remove any vulnerabilities in advance. Also, the users need to install a trusted anti-virus product and keep updating to the latest engine version to block an installation of DDoS agent.

- Conclusion

There are no perfect solutions to block DDoS attacks, however, we always need to pay attention to the security of network and server to minimize the damage from DDoS attacks.
You also need to monitor the situation on realtime and check the security level settings of a firewall and network protection equipment so that you can setup faster response process for any accidents.
In case DDoS attacks are exceeding the bandwidth of your security equipments or networks, you need to cooperate with ISP and IDC for help.