DDoS Prevention and Mitigation
Denial of Service (DoS) attacks against MOREnet members have been more frequent in the last few months. These attacks use a wide spectrum of attack vectors and can be carried out by different methods. Traditional DoS attacks target a specific network, application or service and attempt to exhaust available resources so legitimate users are denied access. Distributed Denial of Service (DDoS) attacks use multiple devices to attack a single target. Distributed Reflection Denial of Services (DrDoS) attacks use multiple "man-in-the-middle" devices to redirect/reflect attacks to the target.
There are basically two ways members can be affected by DDoS attacks — a device or service running on the member’s network can be the target of an attack or the device or service could be compromised or vulnerable and participate in an attack. If the device or service is vulnerable, there are usually ways to secure it (e.g., patching, upgrading, disabling the service or blocking ports or protocols at the firewall or on our core network). If the device or service is the target of a DDoS attack, proactive methods used to secure or protect it are limited and are often difficult to implement. Unfortunately, these are the attacks that can potentially disrupt service to others even if they aren’t the target.
MOREnet uses several different methods to help protect our members against these types of attacks. We monitor network traffic in real time using NetFlow and MRTG, which helps identify IP addresses associated with large amounts of inbound or outbound traffic on a member’s Internet connection. We have several access control lists (ACLs) configured on our core routers that can block certain types of inbound traffic so it never reaches the member’s connection. Our core network engineers also maintain communications and relationships with our four network providers to help mitigate attacks as quickly as possible, and they were also able to lower the rate-limit of the response threshold for the Network Time Protocol (NTP) on one of the provider networks.
While MOREnet does everything we can to prevent and mitigate attacks, members can do a lot to help. All members should monitor their network traffic on a regular basis. Both Netflow reports and MRTG graphs are available via MyMOREnet.
In addition, take steps to secure your network. Review the services running on your network. If they’re necessary, make sure they are secure. If they’re not being used, disable them, especially those that are known to be used in attacks (e.g., DNS, NTP, Chargen). Apply patches and updates — don’t become part of the problem. Develop an incident response plan; if your network slows down or you notice unusual traffic, please call MOREnet Technical Support. It’s better to be safe than sorry.