May 6th, 2015

The internet is a strange and wonderful place. You can find unicorns and videos of grumpy cats.  Unfortunately there are also bad guys on the internet. Today, we would like to talk about one way to deal with a specific type of event on the internet and how to respond to it.

There is a type of disruptive event called a denial of service (DoS) attack.  (Some of you may also be aware of a term called DDoS, Distributed Denial of Service attack. This is a DoS attack that comes from many directions, the end result is the same.)  From a network point of view, this means that an organisation begins to receive such large volumes of traffic that individual hosts (e.g., your web server), network segments (e.g., the finance building) or even an entire campus is swamped by the flow of bits. You can compare this with a DoS to your phone–imagine if hundreds of people began dialling your number constantly for the next 5 hours. You would not be able to receive expected phone calls and your voicemail system would probably fill up.

Is something happening RIGHT NOW?

If you find that you are victim of a DoS attack, REANNZ suggests that you do a few things.

1) First, please get in contact with your IT Director. They should be in a position to collect all the useful and important information.  At minimum, you will want to know

– what is your phone number
– which hosts are targeted
– do you know from where the attacks are sourced
– what is the phone number of your NOC/IT office

2) If you are unable to respond to the DoS, you should contact your internet providers. REANNZ is one of them; you may have more than one. Please share as much information with us as you can

3) Lastly, let us know if you have information about potential attacks in advance. Even small bits of information could help us get you back online.

What can you do to prepare?

If nothing is happening at the moment, you can do a handful of things that will help you to prepare for an unfortunate event such as this.

a) Send the REANNZ NOC a list of “trusted contacts” phone numbers that we can call in case we need to confirm information. This should be someone senior enough to authorise that machines be taken off the internet.

b) Make sure that your engineers have a way to contact REANNZ that is not over the internet. One of the unfortunate consequences of living a fully connected life is that many of our communications channels are over the internet. If someone makes the network unresponsive, we need to ensure that other communication channels are available.

What is REANNZ doing to help?

REANNZ has the ability to prevent traffic from reaching hosts. The technical details are not as important as knowing that we call it “black hole routing” or “black holing traffic”. This is a very effective way to prevent traffic from reaching hosts. So effective that no traffic, neither the bad traffic nor desired traffic, can make it to the host. This might seem to be harsh medicine, but it does prevent a single host machine from taking down an entire organisation’s network.

Additionally, REANNZ is looking into tools that can protect our members from this type of attack. There are a variety of open source and commercial tools that provide varying levels of protection. These tools balance cost, effectiveness and manageability to provide users with different types of protection. These tools could be implemented relatively quickly if the membership as a whole came together to request it.

If you are interested in tools to help protect your campus, please get in touch. While we hope not to need these tools, preparation remains critically important.

Don’t give in to bullies

Also, something that should go without saying, don’t give in to bullies. There is capability and expertise in the community to deal with issues like this. Please let us know about these situations as they arise, which will give us time to prepare and do our best to protect your network from our end.