Avoiding the DDOS plague - mjcpk web design and development

Archive for December, 2010

Avoiding the DDOS plague

Thursday, December 23rd, 2010

Distributed Denial of Service (DDOS) attacks have been in the news a lot lately. Wikileaks was attacked and then their supporters launched attacks of their own in retaliation. It seems to be an increasingly popular way of hitting out at your enemies online. A number of news article have made mention that it is now often used as a way to censor human rights groups. DDoS Attacks Aim to Censor Human Rights Groups – InfoSec Island

ddos - distributed denial of service

ddos - distributed denial of service

Weathering the storm of a DDOS attack can be a costly business and is often beyond the budget of Human Rights Groups and charities. Hosting companies don’t like their servers to be battered due to the knock on effect on their other customers. Groups can be asked to switch from shared service to a dedicated server or find alternative hosting.

The whole problem stems from having a single point of failure. Any server, no matter how well prepared, can only deal with so many requests. Expensive load balancing set ups can alleviate the problem but, ultimately, faced with sufficient numbers they too will be overwhelmed.

The standards for DNS allow for multiple IP addresses to be assigned to a domain name. It has always been considered a poor man’s equivalent of load balancing due to the fact that there is no analysis of server load before giving out the IP address. Addresses are dispensed in a round robin method. Whilst this doesn’t suit conventional load balancing I believe it can be used effectively to reduce the impact of DDOS attacks.

To ensure that their message wasn’t lost in the DDOS barrage Wikileaks duplicated their content on over 500 other web severs world wide. The main site went down but the information still remained available elsewhere. If we combine this approach with round robin IP addresses we have a method spreading the load of a DDOS attack across many servers and, thus, reducing its impact. Hackers from Anonymous had to give up their revenge attacks on Amazon, Mastercard etc. because they didn’t have the numbers to be truly effective. The more servers involved and the harder it becomes for the attacks to mount an effective attack.

What is required to make this suitable for charities and other groups to use is an organisation to provide them with a single ftp upload point and the rest is dealt with for them. The organisation would need to rent server space from as many hosts as they can (using basic reseller plans this would be easy to do), manage the DNS details and duplicate the content across the servers.

There are many people looking at other methods of managing DNS. The Distributed DNS project is an example. Any change to the DNS infrastructure of the web is a major undertaking and requires the agreement of many groups and organisations but, in the meantime, this looks like something that can be done to mitigate the effects of online attacks on free speech.