Mydoom lesson: Take proactive steps to prevent DDoS attacks

Computerworld - Dealing with a distributed denial-of-service attack such as the one that took down The SCO Group Inc.'s Web site this week continues to be a major challenge for companies, security experts said.

But several options are available to at least help alleviate the pain for those that become targets.

A DDoS attack typically involves thousands of compromised "zombie" systems sending torrents of useless data or requests for data to targeted servers or networks.

The SCO attack, for instance, was launched using systems that had previously been infected by the Mydoom virus (see story). The virus contained code that instructed thousands of infected computers to access SCO's Web site at the same time, rendering it inaccessible to legitimate users.

Stopping the flood of traffic can be very difficult because it's coming from so many sources, said Bruce Schneier, president of Counterpane Internet Security Inc. in Mountain View, Calif.

"From a philosophical perspective, if the attacker's pipe is bigger than the defender's pipe, the attacker can always knock out the defender," said Schneier.

There are several approaches companies can take to prepare for attacks such as this, said Paul Mockapetris, inventor of the Internet's core Domain Name System and chairman of IP address management vendor Nominum Inc. in Redwood City, Calif. One is to set aside extra network bandwidth and server processing capacity to withstand sudden surges in traffic, he said. Another is to "retreat from your domain name" and essentially park your Web site at another address while the attack plays out.

Geographically distributing Web servers is another approach worth considering, Schneier said. That way, even if one server or network segment is taken down by an attack, normal traffic can be redirected to other servers.

But putting in place extra server processing capacity to handle DDoS attacks can be expensive and is likely to make sense only for larger companies, Mockapetris said. "There's a bit of a digital divide when it comes to the ability of companies to defend themselves against these attacks," he said.

"The long-term answer to DDoS protection has to be in the [service provider] networks and backbones," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. That's because upstream service providers are in a better position to detect and choke off traffic directed at a specific IP address, said Schneier.

As a result, it's a good idea to require service providers to offer some sort of guarantee against DDoS attacks, said Schneier. Gartner has in fact been advocating this for more than two years, urging users to include DDoS protection language in their service-level agreements with Internet service providers and data center hosting companies.

But less than 1% of companies overall are buying such services, Pescatore said. "Most enterprises say, 'It isn't raining, so the roof isn't leaking. Why fix it?' " he said.