network_attacksSlightly over a month ago, it almost seemed like the real-time world came to an end when Twitter went down from a denial of service (DoS) attack. Most other services like Facebook, livejournal and even Google to some extent bore the brunt of the attack. Folks addicted to real-time streams were left twiddling their thumbs while rest of the world kept speculating on the origins, the hows, and the whys of the attack. Very few, however, talked about  whether the attack could have been prevented or mitigated and what lessons if any were learned.  The ‘how can we prevent it’ question also came up in a recent conversation I was having with someone. Given that every business today sells something online (either products or services), the recent DDoS attack carries significance for all.

Not with a bang, but a Twitter

Not with a bang, but a Twitter

DDoS, if you are not familiar, is Distributed Denial of Service where the hacker takes control of  several computers like yours and then launches a concerted attack on the victim.  (slow internet connection without much activity? – your computer is probably being used by a hacker).

DDoS and several other types of attacks are not uncommon. It is just that networks have evolved to handle such attacks and in some cases the attacks are not significant enough to be reported.  Over the years network monitoring and analysis tools (an over $3 Billion market today) have matured providing network administrators more forewarning and helping them mitigate the disruption caused by such attacks. Even way back in 2003, as part of research (see the IEEE paper below for more reading), we were working efficient frameworks and metrics for real-time monitoring and analysis – something that is very much relevant even today. So yes we do have the tools.

The real problem with Twitter was that they did not invest much into equipping their network and servers to handle something like this, which is sadly the case with most start-ups where there is rapid growth and constraints on how much cash you can burn.

But here are simple steps you can take to mitigate an attack on your network…

  1. Design your network well, run some load and attack scenarios to know which nodes are vulnerable. There are many tools available for network design today.
  2. Deploy network monitoring and analysis tools for real-time statistics. Know what metrics to track and keep track of  loads during normal operation.
  3. Set up threshold values for alerts. For example in the paper below we proposed different metrics for individual nodes (routers, servers etc) and the system as a whole. Threshold values will also determine other parameters you can be set like the DNS TTL etc.
  4. An attack may not be prevented but can be mitigated for sure. If you are a victim, go back to (1) above, run the attack scenario in simulation and revamp your network.

For more details on what parameters can be monitored and what kind of analysis you can perform, the paper below might help. Although I should say that algorithms have evolved and become more sophisticated over the years.