DDoS attacks on the increase

An alert released last weekend by the National Infrastructure Protection Centre (NIPC) warns that distributed denial of service (DDoS) attacks are on the increase once again.

The announcement follows one such attack on the official website of the US presidency last Friday, which prevented all traffic from accessing the site.

The NIPC's alert warned that it had witnessed a marked increase in the number of attempts to conduct DDoS attacks by bombarding web servers with large user datagram protocol (UDP) packets on port 80, which is normally used to serve web page requests.

Attackers have apparently been exploiting a common defence mechanism where firewalls block the first part of a fragmented large UDP packet, but let other bits of it pass through.

UDP is commonly used where speed, rather than data quality, is of the essence, as it does not make a connection like the TCP protocol. Instead it merely hands off data packets which are reassembled at the receiving end.

The alert advises system administrators to inspect their firewall logs for the presence of fragmented UDP packets.

"Inbound packets of this type indicate that a denial of service to the network in question may be underway. Outbound packets of this type indicate that there is a high likelihood that systems on the network in question are compromised and that DDoS tools are installed," it said. "Attempting to block this traffic at the IP-only level [as opposed to protocol-specific level like UDP] may have improved effectiveness."

An NIPC devised tool to check a system for DDoS devices is available for download along with more information here.