Just another example of the types of attacks that can hit any Web site – even those focused on security. We’ll continue to keep an eye on the story as the Metasploit site is still under siege, but what becomes interesting to see is the transition in articles about DDoS.  A DDoS attack of this size years ago would have taken down a large site while today it is still quite small compared to the bandwidth and protection levels deployed by Internet giants.  As such, it seems like we are getting to the back side of the DDoS boom where you have botnet owners picking sites without monetary gain but just for a bit of visibility against targets that in many cases aren’t even investing in heavy defenses because of the lack of business impact.  More interesting is how we continue to cover these stories but how they are rapidly moving to the bottom of the news.

The question I think about is which direction will things go in DDoS defense?  Will every site need protection just to make the Internet useful, just like Anti-SPAM is a requirement to get anything done in email?   Or will this be one of those things that is a nuisance now and just fades over time as the benefit of attack doesn’t even highlight an article?

One thing to note is that there are really two things at play here.  In the reports, they talk about using DNS to attack another Internet target by using the DNS farm to increase the size of an attack.  In this manner an attacker with a small amount of bandwidth can cause a denial of service larger than what would be nominally attributed to their network connection or size of their botnet.  The second attack is against the root servers or DNS servers in the resolution chain whereby a small request causes an increased amount of processing required on the part of the DNS farm.  Both of these cause denial of service attacks, one bandwidth against an Internet target, the other processor consumption against a DNS farm such as the root servers.  For some time, arguments have been raised for changing DNS to TCP and adding security mechanisms.  These are not going to happen quickly.

By moving DNS queries to TCP only and off of UDP this avoids the described bandwidth attack against an Internet target through spoofed addresses.  The problem is that a DNS server can only turn off UDP queries once every client you are going to support has properly moved off of UDP.  This is going to take some time.  Furthermore, while new security measures are being instituted that can be used to help attribute queries to systems, until they are ubiquitous, we are stuck with the DNS they have.  Fortunately all is not hopeless until some future date when the Internet no longer uses IPv4, have moved away from UDP and DNS is only with full DNSSEC  features.

What is great about this news, however, is it is a perfect example to highlight why there has become a great marketplace for Infrastructure Security Products.  For decades attackers went after comprised web sites or vulnerable clients.  Big web sites are built like Fort Knox today and Anti-Virus is a household term in the most non-technical households leaving what is in the middle, the Internet infrastructure ripe for attack.  DNS Defender^TM for example is one such new breed of security products.  DNS Defender  sits in front of DNS Farms, from enterprises to service provider’s to root servers and is able to, in a sense, fix up the current DNS implementation while we wait for future changes.  For example, if we look at the current amplification attack, DNS Defender can use its DNS rate limiting abilities and caching to protect the DNS farm both from processing attacks on the DNS farm as well as it being used as a amplifier against targeted sites.  DNS Defender provides numerous controls for rate limiting by either query type or by user.  Should a flood of traffic come in from a single IP address of a site that is an intended target, the responses per second can be controlled to some nominal level that prevents any value of using the DNS farm as the amplifier.  Furthermore, should the attacker want to simply send queries for the ‘.’ domain to get a list of .com, .net and similar root domains causing processor time, these queries can be cached and answered using the DNS Defender as a cache server.  The combination of functionality requires zero changes to the DNS farm while also fighting off both cases of using the DNS farm for amplification.

The good thing is that putting defenses like DNS Defender in place in front of key critical infrastructure is not conceptual but already in place in key locations.

Companies like GoDaddy.com that are responsible for safeguarding e-commerce sites and Web infrastructures should ensure they have the proper technology in place to deal with mounting DDoS attacks. With the state of the economy being what it is right now, it’s essential that online stores remain open and running when a customer is ready to make a purchase. In this instance, customers were understandably upset about their sites being down and were quick to complain. Los Angeles based lifestyle blog LA Snark even posted a response to GoDaddy.com.

E-commerce merchants can remain confident that their customers will encounter a positive user experience if their Web-hosting company is well prepared to deal with these kinds of security threats. That said, the problem has grown considerably larger over recent years. In a recent report on DDoS trends published in late 2008, large scale attacks of 40Gbps or more are being seen. (Link To Arbor Report) Most hosting providers are not able to accommodate such levels of attack and this seems to be pointing to more managed security in the Cloud going forward being delivered by Tier 1 carriers and security providers with this kind of bandwidth. The real question becomes at what point with an increasingly Internet based economy does this level of protection become required versus a nice to have?