Defying DOS Attacks
It's hard enough to create and manage an IT infrastructure that supports your business objectives. When you have to open that infrastructure up to the Internet, whether you offer services over the web or just have a user portal, you can readily find out first-hand the next level of that challenge. The on-line social networking and micro-blogging service Twitter was the subject of an insidious hack in recent weeks called "Denial of Service" or DOS. The same type of hack has been launched against other social networking sites and some e-commerce site such as FaceBook and the rumored Amazon attack(s) in 2008. These attacks can be devastating and completely disabling for the targeted site.
According to Wikipedia, a Denial of Service (or Distributed Denial of Service) attack is "occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers." This type of attack is particularly insidious because the computers that participate in the attack may be the hi-jacked (virus or trojan infected) computers of users who are unaware of the attack. In a DOS attack, the attacking computers can mask their Internet address and repeatedly request services of the web site they're attacking. One thousand computers generating just one thousand requests per hour can generate enough traffic to cause significant degredation of service on the average web server. These numbers can scale very quickly and have crippled some of the biggest, most sophisticated networks such as Microsoft.
The defense against DOS attacks is complex. First off, if you have addresses of the perpetrating computers, how can you block them knowing that they are potentially just infected computers of users that may be within your legitimate constituency? Enter the Defense in Depth strategy or "DiD". DiD is a multi-pronged defense that combines multiple defenses and counter measures in multiple layers of your network. It is a strategy recommended and in use by CERT (a division of the Software Engineering Institute) and Homeland Security. DiD protects from DOS exploits by providing best practices for security across all layers of your network. For more on DiD, contact BestIT, or visit the NSA web site at http://www.nsa.gov/ia/_files/support/defenseindepth.pdf