A DDoS attack against the Universities Registration System Server (RSS) by infected computers (Bots) located in the University Computer Labs (see diagram) resulted in shutting down access to the RSS system. Orchestrated and controlled by a central controller these Bots established web connections (HTTP protocol) to the RSS using up all available bandwidth. Doing so prevented other users from accessing the Web site/server for legitimate traffic during the attack. This is considered a Consumption of Resources attack using up all the resources of RSS bandwidth.
This summary will address measure to counter this type of DoS attack. (Specht, S. M. , & Lee, R. B. (2004)) Measures to counter a DoS attack can be broken down into two types; In-Depth Defense and Countermeasures. Devices such as Routers and Proxy Firewalls are designed to protect against attacks from outside not inside the protective boundaries of the University’s network. The use of up-to-date antivirus software on all network computers, an Intrusion Detection and Prevention System (IDPS) to monitor network traffic, and a host-based IDPS (local computer firewall) are recommended.
Training of computer users and Information Technology (IT) personnel that manage computer services on the University network is critical to counter such attacks. Disaster Recovery procedures and/or Checklists need to be created and followed by IT staff during the attack phase. Using the concept of In-Depth Defense includes the following; Principle of Least Privilege, Bandwidth Limitation, and Effective Patch Management (EPM). To reduce risk of attack the use of Microsoft’s Active Directory (AD) Rights Management (RM) to assign users the least amount of privileges necessary to operate on the network.
This would prevent rogue (Virus or Trojan) software installations that could lead to Bot compromises and DDoS attacks. Limiting the bandwidth or setting bandwidth caps could help to reduce the effects of DDoS attacks by reducing the amount of data any single computer can use. Much like how Internet Service Providers (ISPs) limit the amount of traffic by any one customer to access the Internet. The use of automated patch management, Microsoft’s System Center Configuration Manager (SCCM) to keep computers properly updated and patched is essential.
EPM reduces the risk of attacks by reducing the vulnerabilities due to know weaknesses in applications and Operating Systems (OSs). A centrally managed Host Based IDPS or Host Based Security System LOT2_Task1. docx (HBSS) to audit and report on computer systems helps defend against known attacks. HBSS allows the management of local computer firewall configurations to identify and possibly shut down infected computers during an attack. The use of AD, SCCM, and HBSS combine to reduce the likelihood of an attack and provide valuable information during the attack and post-attack phases.
Countermeasures to internal network DDoS attacks consist of detection, neutralization, prevention of additional attacks, deflection, and post-attack forensics. In the current network design an IDPS can alert network administrators of potential problem detection and block signature based (known) attacks to help in the mitigation process. Use of HBSS and Network IDPS allows administrators to shut down services during an attack to neutralize attacks. The capture of Traffic Patterns stored during DDoS attacks can be used for forensic analyzes post-attack.
Load Balancing increases incoming traffic levels during peak hours of operations and during DDoS attacks. Proper configuration of load balancing of network devices, services, and servers will reduce effects of a DDoS attack. (Householder, A. , Manion, A. , Pesante, L. , Weaver, G. , & Thomas, R. (2001)) Documentation of these processes provides effective lessons learned and should be the basis of future response procedures. Identifying Bot computers as quickly as possible and removing them from the network is an effective response to DDoS attacks.
Once removed from the network the Bot application can be removed from the computer. If removal is not possible or effective a baseline installation of the Operating System is required. With the use of In- Depth Defense and Countermeasures DDoS damage can be significantly reduced. Defensive steps include; user account best practices, effective application patching process, current virus definitions usage, properly configured host-based firewall rules, active network scans for anomalies by IDPS are effective tools against DDoS.
Identifying, shutting down, and preventing additional outbreaks of infected computers best practices must be documented. Education of Users and IT staff helps to reduce the root causes of DDoS attacks by reducing Bots infections. Tools such as AD, SCCM, and IDS used properly can help detect and formulate an effect defense against these attacks. In-Depth Defense and Countermeasures used together to formulate an effect process when dealing with DDoS attacks.