Distributed denial of service (DDoS) attacks of the kind that crippled networks in Estonia two years ago are hard to defend against because they typically involve thousands of compromised computers knocking a Web site or server offline by simultaneously sending it torrents of useless traffic.
A new online service launched last week by grid computing vendor Parabon Computation aims to help companies better prepare for such attacks by giving them a way to simulate a full-fledged DDoS attack on their networks.
Parabon operates one of the largest commercial computational grids in the country. Its new Blitz Distributed Testing Service makes use of the thousands of computers on its online computing grid to generate DDoS attacks on demand against specified targets.
The service allows companies to test their networks against DDoS attacks at scales comparable to a full-on cyberattack, according to Steve Armentrout, president and CEO of Parabon. Currently, the company can harness anywhere between 5,000 and 10,000 computers on its grid to generate targeted network traffic against a site or server, Armentrout said.
That number is still far less than the tens of thousands of compromised computers that are sometimes used to launch a DDoS attack against a target.
Even so, the service is a considerable improvement over current DDoS testing approaches, in which a single standalone high-performance computer might be used to generate very fast traffic against a network to test its ability to withstand such loads.
Such network load and performance tests “do not get to the true nature of a massive distributed denial of service attack,” which can come from anywhere, Armentrout said.
The Parabon Blitz service got its first public airing at the Department of Defense's Defense Information Systems Agency (DISA) Customer Partnership Conference in Anaheim, last week. DISA provides information technology and communications support for the entire Department of Defense.
Steven Hutchison, a test and evaluation executive at DISA, said Parabon's Blitz service is “remarkable” in that it allows for a very realistic simulation of a DDoS attack.
“It allows you to put many different assets to hit a [target] application at one time. So your entry points are from all over as opposed to network load testing,” involving a single source of traffic, Hutchison said.
Such a service can be very useful for “red-teaming” exercises in which Department of Defense networks are tested for weakness in “operationally realistic” conflict situations, he said.
DDoS attacks are often considered one of the biggest problems on the Internet because they are very difficult to stop. They can last for weeks and are sometimes used by extortionists as a way to extract money from targets.
The attacks in Estonia degraded network service for nearly two weeks and there have been numerous similar attacks on commercial and government targets in the U.S. over the past few years.
Over the years companies have resorted to a variety of methods to mitigate the effects of a DDoS attack. The most common approach has been to set aside extra network bandwidth and server processing capacity to withstand sudden surges in traffic.
Another has been to geographically distribute Web servers so as to be able to quickly move services away from an affected site if needed.