Some time ago we looked at how to cope with a Denial of Service attack in terms of how you could help protect yourself. But what can you expect your service provider to do on your behalf to proactively monitor for attacks and help trace the perpetrators if you do get hit?

Most of the time, users and service providers only find out about DoS attacks when something goes wrong and your network gets flooded. The priority then is to stop those attacking floods, and, hopefully, find out who is causing them. Rate limiting and filtering out ICMP and certain UDP packets can help, but if you’ve got a serious attack going on, your provider can (although whether they do or not is a different matter) take extra steps to help.

Your ISP, quite rightly, isn’t going to want to start reconfiguring an aggregation router that’s handling the traffic of other customers, but what he can do is direct your attacking traffic away to someplace where it can be investigated, or just dumped if things get too bad. This is where the sinkhole router comes into play. For Unix aficionados, think of it as like a honey pot; it attracts all the nastiness to someplace where it can’t do much harm.

But there won’t be time for your provider to start thinking about installing a new router into their network when you have an attack, so the idea behind the sinkhole is that it is a permanent fixture, and the only change needed when an attack happens is for it to start advertising itself as the IP address of the host (or subnet) under attack. Once routing tables have updated themselves in the ISP core, all the traffic trying to hit your site is instead routed to the sinkhole router. At that point it can be just dropped, in which case the router’s actually just acting as a black hole, or it can be passed out on to an isolated network for analysis.

It’s even possible that a data scrubber can identify and scrap the attacking traffic, and forward the valid data back on to your network, so you don’t lose service altogether (Riverhead Guard, from Riverhead Networks , which has just been bought by Cisco, being an example). One sinkhole router can act for multiple customers, so it’s not something they need to install just for you.

Tracing attackers
It may also be possible to work out where attacks are coming from, although this will take effort on the ISP’s part, and probably cooperation between providers. Tracing traffic on a hop by hop takes too long since many DoS attacks are short-lived: however there is a clever way using a technique called backscatter that may work:

• The sinkhole router tells the ISP network that the next hop address for the destination under attack is an unused, test IP address.
• All ISP edge routers are configured to drop anything going to that test address.
• These routers will send an ICMP error message to the source of the packet that was dropped. In most cases this will be a range of addresses used by the attacker.
• If the sinkhole is advertising itself as the source of this range, it will get these ICMP messages.
• By seeing which edge routers these messages are coming from, the provider can tell the ingress point to his network of the attack.

It’s a bit more complex than that, but that’s the idea. And the only change the provider usually needs to do is on the sinkhole to set up the attacked address. This may have to be repeated by different providers, and may initially lead to intermediate hosts that have been hijacked by the attacker for a Distributed DoS attack, but it’s a start.

Proactive monitoring
The sinkhole has another function though, in identifying attacks proactively, and picking up things that shouldn’t be happening. In addition to advertising itself as having the route to an address under attack, a sinkhole can be permanently configured to advertise itself as the default for all sorts of junk traffic and send it to, say an IPS. This way it can pick up network scans, traffic that can’t be delivered because of customer network flaps, and backscatter from customer systems that might indicate that they’re under attack, but haven’t yet been hit hard enough to notice. If the provider analyses this traffic, not only will they be able to identify traffic that shouldn’t be on their network, and maybe tidy things up a bit, but could also be able to notify customers they’re being hit and need to tighten up their own security.

The question is, which providers have these sort of facilities on their networks, know how to use them, and can respond quickly enough if you do contact them with an issue. While they may not want to tell you exactly how their network is configured, you should be able to find out what they can offer and what processes they have in place - before you experience a problem.