Guest Blog: Defending against DDoS


There appears to be some activity in the world of DDoS Defense. DDoS (Distributed Denial of Service) attacks have taken many forms over the years. From the early Ping Floods and Smurf attacks to much more sophisticated attacks. As an example of that sophistication look at the July attacks against 39 web sites in South Korea and the US. I wrote about these attacks in “Surviving Cyber War”:

While attacks against US websites are common this was remarkable in that the US was tied to South Korea as a co-target. The methodology of the attack was also interesting. An old piece of malware called MyDoom was modified and spread across the Internet. According to South Korea’s Internet and Security Agency it was hosted on a software update server. In other words, it did not attack a new vulnerability. Analysis of the code reveals that it was written on July 3rd. It apparently infected 210,000 un-patched windows desktops in less than a day and proceeded to launch denial of service attacks using Ping and GET floods. While the total bandwidth of attacks was reported to exceed 20 gigs of traffic each target only saw, on average, 39 mbps of traffic (according to Arbor Networks ASERT). The United States reported that several of the targets including (Federal Trade Commission responsible for prosecuting spammers and spyware distributors) (Federal Aviation Administration), were effectively shut down by the attacks. Several of the targeted sites survived unharmed including which is not surprising since Amazon operates arguably the largest and most robust ecommerce site in the world. These attacks have helped to highlight the lack of preparedness on the part of South Korean banks and government sites as well as those of several branches of the US government. The attacks also were the first to receive such wide spread recognition in the media. Cyber war and cyber attacks reached a new level of public awareness. (For more details see some of the papers presented at International Workshop on DDoS Attacks and Defenses held Sep. 29th-30th 2009, at KAIST-ICC, in Daejeon, Korea.)

It looks like the rise of DDoS as a weapon of disruption is driving demand and several vendors are responding. There are several types of products.

Proxy hosting services. This is one of the earliest techniques pioneered by Prolexic Technologies. See Barrett Lyon’s excellent description of how to set up your own proxy service to cache and load balance attacks using SQUID servers.

If your content is hosted on a Content Delivery Network (CDN) you get some rudimentary DDoS defense because you are hosted on a large network of load balanced servers.

In the Cloud Filtering. ATT And Verisign have sophisticated network based solutions that first detect DDoS and then channel a customer’s traffic through their data centers to scrub out the attack packets and apply various other techniques.

In Line Hardware. Solutions from TopLayer , CloudShield (for DNS), IntruGuard RioRay and of course IPS products, provide mitigation that a customer can install in front of their networks.

One product that is unique is from Webscreen Technologies. They use IP reputation in their platforms and maintain millions of IP addresses that are connected to an attack in-state to allow fast filtering.

As governments dig in to their exposure to DDoS look to them to become customers of these vendors and for the market to expand rapidly. While DDoS has been around since the inception of the Internet it is only now getting the attention it deserves as a threat.

Richard Stiennon is the Chief Research Analyst at IT-Harvest. He blogs regularly at and is the author of Surviving Cyber War (Government Institutes, 2010.)