Computerworld

Five tips from a CIO on dealing with massive DDoS attacks

LiveJournal is a social-media blogging site that attracts millions of users each month from across the globe, especially the U.S. and Russia. Owned by Moscow-based SUP Media, its website is hosted in a Montana data center, and according to Tim Turner, the firm's London-based CIO, LiveJournal regularly faces massive distributed denial-of-service (DDoS) attacks.

DDoS attacks "have grown in size and complexity in the last three years," says Turner, noting that every couple of months, an attacker exploiting DDoS botnets will try to blitz LiveJournal with gigabits of malicious traffic. Here are his tips about responding:

#1: It's critical to recognize early that an attack is occurring. The attack traffic starts to crowd out the legitimate traffic and you want to keep to a bare minimum any "collateral damage" that prevents the user population from reaching your website, says Turner.

+ ALSO ON NETWORK WORLD Massive denial-of-service attacks pick up steam, nefarious new techniques | Anti-Bot Working Group to fight DDoS attacks from cloud infrastructure +

LiveJournal makes use of monitoring of the global Internet that indicates changes in traffic. It's a good idea to have anti-DDoS equipment or an anti-DDoS provider to turn to when trouble hits. But the relationship with a DDoS provider must be based on the idea of a partnership, he says. "When something happens on the website, we'll make the decision" to engage the anti-DDoS provider, Turner says. He notes he hasn't managed to automate the entire anti-DDoS process, though perhaps others have.

#2: Make sure your anti-DDoS provider shares data with you. Sometimes it's frustrating when anti-DDoS providers are "secretive with the data they have," Turner says. Some will not share botnet source addresses for example, or other data that might profile the attacker. When an attack starts, there will have to be decisions made about blocking IP addresses. The prevalence of network-address translation technology means there could be 20,000 people behind a single IP address. "You've got to get users to your website," says Turner, even as the DDoS attack escalates. Turner currently uses the service from Defense.Net in part because there's good data-sharing, he says. LiveJournal will re-direct traffic through Defense.Net for protection when a DDoS attack begins.

#3: Understand the type of DDoS attack that's coming. DDoS attacks vary in scope, some can be 5Gbps or even 30Gbps, plus some are application-specific, or make use of SYN floods, UDP floods and other techniques. The "blended ones" that combine attack techniques are among the hardest to combat, says Turner.

#4: Be clear about pricing with your anti-DDoS provider. Some providers are charging their customers based on "clean pipes," while "other providers want to charge for dirty traffic," Turner says. He adds that cheaper may not be the better deal if the anti-DDoS provider can't really filter out the attack traffic.

#5: Motivations for DDoS attacks are many. They can include extortion by demanding money to turn off the DDoS attack stream; simple rage over someone's expressed opinion; and even oddball episodes where someone will DDoS you as part of begging for a job. DDoS attackers love to strike when there are holidays and they think there are fewer IT staff to protect websites. Since November, "we've been hit four or five times, such as Christmas and New Year's," says Turner. "They want to catch you unaware." He thinks it's rare that DDoS attackers are ever apprehended. More information sharing among online businesses about DDoS attacks is needed, Turner says. Some industries, such as online gaming for example, have set up their own community groups to discretely share the experiences they have had in combatting DDoS attacks.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.