The undetectable DDoS

Posted on November 26, 2009 by admin

For several years HTTP GET attacks have plagued web hosts with an extremely frustrating problem. These attacks are “low and slow” in the sense that only a few connections can slip through a network firewall or DDoS filter, cause a web server to respond to the seemingly valid request, and then generate hundreds of megabits or even gigabits of egress bandwidth utilization.

Traditionally the common response to this was to either null route the IP and hope the problem goes away, try to filter each IP by hand which requires many hours or even days plus a functional understanding of iptables, or perhaps as a last ditch effort the services of a DDoS mitigation provider like Black Lotus. The latter has been extremely popular in recent days as a new variant of this attack has been detected in the wild.

The problem now is that an infected host will connect to a web server, make a seemingly legitimate HTTP request, and then fall off the radar. This is real user behavior and does not constitute a DDoS or even a DoS, therefore no network filters or even local filters will detect or mitigate this attack. Real user behavior, however, does not translate into a real user as these connections are still infected hosts. When you add them by the tens of thousands you have a nearly undetectable DDoS attack. The release of this intelligence has been delayed to allow us proper time to lab the problem and determine a solution.

On Tuesday evening system engineers at Black Lotus released an update to the Application Firewall and DDoS protection proxy products that has proven successful in defeating these attacks. The solution is to capture the HTTP request and log it for future analysis. A cron job runs on a regular interval and examines the logs. If a certain resource, for instance a large file or image, has an abnormal number of requests it is assigned a score. The request is then dropped from the destination or the entire network depending on the score.

For sake of example let’s say http://www.foobar.com is receiving 100 requests per day while http://www.foobar.com/images/background.jpg is receiving 6000 requests per hour each from a separate IP address. Those IP addresses are then scored  considered for either immediate or future exclusion depending on the severity. After several cron runs the attackers are effectively isolated and blocked with a success rate of more than 75%. Over a period of several hours the botnet is fully identified and blocked from the destination or from the network.

This new technology is available standard with DDoS protection proxies and with the Application Firewall product that can be added to any Elite level service such as DDoS protected dedicated servers or the new environmentally friendly LotusCloud VM.

This entry was posted in Technical and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>