DDoS Attacks Explained

November 26, 2021
Industry Commentary

Distributed Denial of Service (DDoS) attacks have been much in the news lately, partly due to cyber liability insurers noticing their potential impact on small businesses. A DDoS attack is different from the typical malware or ransomware attack in that it does not seek to directly infiltrate a business. Instead, it attempts to disrupt or shut down a business by preventing legitimate users from accessing publicly available resources required for business operations.

For example, most businesses have websites on which they may conduct e-commerce; a DDoS attack would deluge these websites with a tsunami of fake transactions, overloading the website and stopping real transactions from happening. The purpose may be to extort money from the business, or simply to force it offline (and even, in some cases, just to prove a point!).

As a reference, here is a readable document describing how DDoS impacts small biz:

A useful excerpt from this document:

Any public service can fall victim to a DDoS attack, such as mobile application APIs, web pages, e-mail services, or DNS services. The affected service becomes completely unavailable during the attack, which means that any mobile applications, web pages, or email services will be inaccessible.

The key here is "public service such as mobile APIs, web pages ". Unless the business is hosting some kind of public service, and punching holes in its firewall to allow worldwide access to that service, there isn't any way an effective DDoS attack can be directly mounted against it. Against the cloud service providers it relies on - that's another story. However, the security of those cloud services is the responsibility of the service provider(s).

Since DDoS attacks are aimed at public resources, there is little point in directing the attack at the office of a small business, unless that office is hosting some kind of public server such as a web server.

For example, a "SYN flood" is a common DDoS attack that seeks to overrun a public server by filling up its connection tracking tables with garbage entries. However, the Uplevel gateway summarily drops all inbound unsolicited SYNs without even bothering to make a connection tracking table entry; thus such an attack is useless against an Uplevel gateway.

Hence most of the hype surrounding DDoS attacks does not apply to a well-designed and properly configured business-class firewall such as the Uplevel gateway.

Of course, there firewalls where either TCP/UDP ports are open to the world (e.g., for a management web page), or the internal CPU and processing paths are unable to keep up with the volume of unwanted traffic - this does spell trouble.

For example, an underpowered firewall can crash, or even 'leak', if it receives a SYN flood that exceeds its ability to process and recognize unsolicited inbound packets and drop them fast enough. This is a simple horsepower issue. The Uplevel firewall, on the other hand, is designed with a network processor that can process inbound packets up to the line rate of the WAN link (1 Gb/s) without falling behind.

Even if a DDoS botnet fills the entire ISP WAN link with unsolicited traffic, nothing happens; the gateway will just drop the whole lot and nothing gets through. This is why it is important to use a firewall that is adequate to the task of protecting and supporting a small business. 

Note that there is a secondary effect to be considered. If a botnet is set up to bombard an Uplevel gateway with a SYN flood or similar 'volumetric' DDoS attack, the ISP will dutifully convey all those packets to the Uplevel gateway. These SYNs will be immediately dropped by the gateway, but in the mean time they'll consume bandwidth on the ISP downlink.

The users will perceive that as a hit to their Internet bandwidth. There isn't any way a firewall can stop an ISP from passing all those SYN packets to it; only the ISP can do that. (Hopefully the ISP will recognize that a DDoS attack is occurring and cut off the flow of packets at its source, but there is no guarantee that will occur).

So what can a small business do to avoid being impacted by a DDoS attack? The absolute best way to guard against the (low) chance that someone is going to mount a DDoS attack against a small business' public IP is to close off all public access to that IP:

1. Don't have port forwarding rules in place to send traffic to internal servers. Use Uplevel VPN access instead.

2. Don't use IPsec VPNs - these require port 500 and 4500 to be open to the world. Instead, use Uplevel's 'call-out' VPN technology, which eliminates the need to open ports on the gateway or the ISP modem.

If no port-forwarding rules or IPsec VPNs are active, then the Uplevel gateway is essentially invisible to the world - unsolicited packets or probes are summarily dropped, and the attacker doesn't know whether the targeted public IP even exists. At that point, a DDoS attack is equivalent to throwing something against a brick wall with no holes. The Uplevel gateways do this by default, so all that is necessary is to avoid reducing the 'brick wall' effect of the gateway.

For more information, or if you'd like us to take a look at your configuration for 'DDoS avoidance', simply give us a call!