Fighting DDoS with Virtualization

Virtualization is a technology well proven in the computing world. A brief definition of virtualization would be the creating of a software or hardware environment  separate from but a part of the native operating or hardware platform. An example of virtualization is a Windows system running a virtual Nintendo machine, allowing for the loading and running of Nintendo system programs.
One of the best known and most powerful virtualization systems is the XEN project. The XEN project proclaims a virtualization system that can run 4095 CPUs with 5TB of ram. This system can combine these resources to create the assets one virtualization instance or of several separate and different instances while using only 150,000 lines of code.

Fighting DDoS attacks using virtualization technology is a logical step given the attacks launched at present . DDoS attacks utilize a virtualization technique known as masking. The attacker can mask the IP addresses of the BOT network it incorporates into the attacks. By passing packets through proxies the attacker can infiltrate and in just seconds take down a site without giving away the actual IPs used to mount the attack. This is a virtual internet connection.

Attackers use a number of methods to take down a site including to target DNS servers, application servers, and website attacks. Because an attacker can setup the communication's link to ignore return traffic the 'push' does not need to have a viable IP and the concern for large packet return is negated. This virtual IP can route through several paths and actually change a number of times depending on the sophistication of the attack. Actually, a DDoS attack does not need to be very sophisticated to take down its target, just a large enough BOT net.

The ways to defend a site from such attacks include the same IP masking technique. The problem comes in when the IP configuration is mapped and the attack starts upstream from the intended target. An attacker only needs seconds while a defense might require several minutes to respond. Because the attacker can  map IPs upstream, a good defense will require a response upstream from the attacker.

What better way to prevent DDoS attacks then to map the IP's used by the zombies and filter those packets? A system that uses a virtual connection transport can offer connections to mappable IPs. A virtual system overlay can require the connection play nice or not at all. You can't run an Nintendo system program on a Windows system without running a virtual client.

This setup would require the connecting client be compatible with the host by being on the same operating and communication level. A simple reply packet sent back to the client will instruct the connecting client on how to communicate with the virtual host. If it drops the packet it will never connect. You could compare this to a virtual modem but essentially it creates a virtual connection over the existing IP.

The success of DDoS attacks depends on the filtering done on the client zombies. It is this filtering that we can take advantage of and exploit. If the BOT net cannot connect to the target then it can't flood it with requests.

by Jim Atkins 'thedosmann'

Memphis Web Programming

Share it now!