Unless you’ve been on a sabbatical in a remote and unconnected part of the world, I don’t think you could have missed the news regarding WikiLeaks (the “whistleblower” web site) and its founder, Julian Assange. To put it succinctly, in the last few weeks, attempts have been made to shut down WikiLeaks’ operations- from payment processors to hosting providers and others. Mr. Assange has had unrelated charges filed against him and was recently arrested on those charges.
But this article isn’t about his arrest – it’s about the resultant firestorm that continues to rage across the Internet as a result of countless people rising up and protesting against, what can be described as, “Internet censorship”. The protests are being conducted in a way that can be devastating to any organization that finds itself in the crosshairs of the “ION Cannons” (more on those later). For those that are wondering, the countless people’s action that I was referring to is the devastating DDoS (Distributed Denial of Service) attack.
Example of coordination via Twitter
(1) Separate the internal business functions, whatever those might be, from the public-facing web servers. This has continually been one of the key methods of preventing DDoS attacks from severely impacting the internal operations of any organization. For those organizations that are dependent on online ordering, a DDoS attack can yield a crippling effect.
(2) Having a hosting company host your website(s) as well as DNS is crucial. They are more readily able to address the flood of inbound traffic than most non-hosting organizations. They often have the expertise, bandwidth and equipment necessary to respond to the attack. Note: not all hosting companies are created equal and one’s mileage may vary when it comes to the type and intensity of attack. There are also various costs involved with different services and SLAs (Service Level Agreements).
(3) Rate-limiting/traffic shaping front-end hardware to reduce the amount of traffic that can reach mission-critical servers (such as e-commerce sites). This may also come ion the form of a proxy-type service that classifies traffic and only forwards non-malicious traffic. Sometimes the use of firewalls may help slow down the site it is set to protect (if at the perimeter). Having a hardware appliance up front with defined ACLs (Access Control Lists) to filter the packets quickly is a good first step.
Sr. Security Evangelist
p.s. Oh, and about those Low-Orbit ION Cannons, read more about them here: http://www.urbandictionary.com/define.php?term=Low%20Orbit%20Ion%20Cannon
Author ESET Research, ESET