Most Distributed or standard Denial of Service (DDoS/DoS) tools are open source utilities written in C# or Java. We demonstrated in Chapter 6, Web Attacks, how a single person using a DoS tool can have a devastating impact to a business by limiting access to online sources or taking down a website. DDoS/DoS tools are advertised as web application stress-testing tools. Although they could potentially be used for that, in many cases they are used for nefarious purposes.

DDoS/DoS attacks in most cases require abusing network infrastructure hardware. One of the common methods to defend against DDoS/DoS is configuring network devices that can handle large influx of packets, the ability to detect anomalous behavior, and traffic patterns. Malicious traffic identified should be automatically filtered to avoid interruption of service. Tools from vendors, such as load-balancers and web application firewalls, do a great job of detecting and defending against volumetric and application-type attacks. Security tools with DoS detection capabilities are able to recognize network, session, and application layer traffic, which is imported for mitigating DoS risks that can exist at all layers of the protocol stack.

To defend against sustained and prolonged attacks, many organizations turn to a DDoS application service provider. A DDoS application service provider works with your ISP and attempts to stop DDoS from reaching your network by redirecting traffic away from your organization. They do this by using routing protocols, such as BGP and advanced DNS techniques.

Most DDoS/DoS attacks use spoofed or invalid IP addresses when attacking an organization. Network administrators should deploy Unicast Reverse Path Forwarding (Unicast RPF) on their Internet-facing border routers as a protection mechanism against spoofing of IP source addresses when used to launch DDoS attacks. Unicast RPF is considered best practices for Internet-edge-facing routers, and a good start to defend against DDoS/DoS. Unicast RPF is configured at the interface level on Cisco routers. Other enterprise manufactures may have similar features on their routers as well. When Unicast RPF is configured, non-verifiable or invalid IP addresses will be dropped.

A more recent technique used to identify DDoS/DoS traffic is leveraging Netflow in conjunction with transit access lists to stop the traffic from entering the network as well as identifying internal attacks. Traffic behavior is analyzed and any indication that the network seeing malicious traffic will trigger alarms such as Smurf or Teardrop packets. Leading DDoS/DoS solutions offer the ability to monitor for both internal and external DDoS/DoS threats.