Tuesday, October 27, 2009

How to prepare for Denial of Service attacks against E-commerce sites

[This is from a response I sent to someone on a mailing list earlier today]

The first thing you should know: unless you are Google or Amazon or some entity of that size and have money to burn, you really should not rely 100% on an on-premise solution against DOS attacks; let your bandwidth or hosting providers be the first defense against it.

You can (and should) have your own solution, but without the protection beginning before your perimeter, the attack will block users from ever reaching you and thus become a successful attack.

Here is why:
The general principle of a DOS attack against an e-commerce site is to send a flood of HTTP requests. Most other types of DOS attack against some known problems with various TCP stacks have been fixed a while ago (or can be handled by various on-premise solutions)

TopLayer, Tipping Point, Arbor or SourceFire (and others) makes excellent intrusion prevention systems (IPS) that can block vanilla DOS attacks launched by 1 or 10 computers. But they are not effective against distributed denial of service attacks that go after your bandwidth.

If 20,000 computers hit your website at the same time, your bandwidth is going to be saturated (unless you have a grow-on-demand pipe).

For example, I just measured the front page for Amazon.com. Images, stylesheet and everything else combines for about 77.6 KB. Let's say (for this argument's sake) that Amazon's bandwidth is 100 MBps. So that pipe can serve roughly 13,195 page requests per second for that 77.6K page before becoming 100% saturated (100 x 1024 kbps / 77.6 kb/page). I am not even counting the webserver's CPU/Memory utilization, since that is inside the perimeter.

It won't matter what IPS they have on-premise; if the pipe is full, legitimate requests are going to be denied or delayed, resulting in a successful Denial of Service attack. This is exactly what happened to Amazon, Yahoo, E-Trade, CNN and some others in Feb 2000.

The bad guys do have thousands of machines with spyware installed at their disposal for this. Some groups reportedly have millions. It is a fact that they rent them out by the hour in blocks of hundreds or thousands for as little as $200 for 10,000 bots. They are mostly used to send out spam, but it is just as easy to launch a Distributed DOS attack.

So a belts and suspenders approach would be:
- Have a good IPS--you need that any way
- If using Linux servers, look at Netfilter so you can tar-pit the attacks
- If you are in a co-lo, talk to your bandwidth providers (you should have more than 1) about DDOS protection.
- If you are on a hosted server, pick a vendor like RackSpace that provides DoS Mitigation.

I know Cable & Wireless, ATT and Verizon all offer DDOS mitigation. They route away the bad packets away from you, and even the RBN does not have enough bots to saturate those bandwidths.