Home / Blogs

Hosters: Is Your Platform Being Used to Launch DDoS Attacks?

Miguel Ramos

As anyone who's been in the DDoS attack trenches knows, large multi-gigabit attacks have become more prevalent over the last few years. For many organizations, it's become economically unfeasible to provision enough bandwidth to combat this threat.

How are attackers themselves sourcing so much bandwidth? It's actually easier than you might think. While botnets comprised of malware-infected computers can be used to launch attacks, you don't actually need thousands of devices. In some cases, attackers are infiltrating hosting company resources (shared hosting, virtual private servers, dedicated hosting, etc.), availing themselves of bandwidth by using hacked, stolen and fraudulent accounts.  

Let's say that an attacker manages to get his/her hands on 5 hosting accounts with 5 different hosting companies. It's not unusual for these hosting companies to have 1 Gbps+ of connectivity to the Internet. A lot of hosters don't look at their outbound traffic all that closely or have difficulty policing what their customers do. All an attacker needs to do is install a script on each account and he/she has easy access to gigabits of connectivity.

For hosters, finding the trouble spot can be like looking for a needle in a haystack (especially if thousands of accounts share resources). While the offender might be found eventually and the account shut down, the damage has already been done.
 
What can hosters do to help prevent this or detect this better?

Restrict outbound traffic from your customers by using ACLs (Access Control Lists). For example, there are few reasons your customers will ever need to make port 80 UDP connections to other hosts on the Internet. Put policies in place to block all outbound traffic except to specific, acceptable, understood destinations or ports. If customers have legitimate reasons to make an outbound connection from your infrastructure, they should be able to notify you and justify it (this will affect a only tiny percentage of your base) so you can make the appropriate arrangements. Some hosters do not even accommodate these requests.

Throttle outbound traffic from your customers. Even for legitimate outbound connections, most likely they don't need to take up 500 Mbps of outbound bandwidth. Simply set a lower limit. 

Put alarms in place when outbound traffic utilization spikes. If, for example, all of a sudden the amount of data leaving your network increases by 40%, there's probably an issue somewhere and your tech folks should be investigating.

Restricting and monitoring your outbound traffic will probably save you money on bandwidth costs and decrease the amount of abuse reports. Best of all, attackers will realize they're not getting what they want out of your platform. The less you have to worry about, the better, right?

By Miguel Ramos, Sr. Product Manager, Neustar Enterprise Services

Related topics: Access Providers, Cyberattack, DDoS, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias