2012.02.06 - Load Balancers, the First Line of Defense Against Denial-of-Service Attacks
Designed for load balancing and high availability, application load balancers have many other advantages. When properly used, some of these features can provide increased security, especially against denial-of-service attacks.
Denial-of-service attacks are popular once again
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, which attempt to saturate a resource so that a website or service is unavailable, have unfortunately returned front and center. The latest example is the attacks by Anonymous, which successfully brought down the FBI’s and Elysée’s websites after Megaupload.com was shut down. An eye for an eye…
While DoS attacks for ideological or political reasons receive lots of press, DoS attacks can have other goals including blackmail, undermining a company’s value, a scam, distracting the security team to steal data (exploiting security flaws) or redirecting visitors by making it appear that the resource is down (phishing).
The following is an overview of main techniques used and the role that an application load balancer can play in protecting against these attacks.
Traffic absorption versus saturation of the application servers’ connections
From Java to Apache, Websphere and .Net, all application servers have one thing in common: a limited number of concurrent connections. As a result, it is relatively easy for hackers to bring servers down, even using only limited resources. Slowloris, a piece of software written in 2009, specializes in this type of attack. It opens and tries to keep open multiple connections to saturate the server and prevent it from opening new connections.
This can be countered by setting server timeouts where the connection is closed if it is inactive for too long. This technique is effective, but only to some extent. The connection saturation attack can send bits of a request at regular intervals, making the server think that the connection is still active. In which case, the server will keep the connection open…
An application load balancer, positioned upstream of the application servers, can support a much higher number of concurrent connections than the servers and be a buffer before them. Additionally, using its request filtering features, it can find “fake” activities, reject incomplete requests and/or only allow through traffic related to critical applications.
Request filtering versus saturation of server resources
Another technique used for DoS attacks is sending highly resource-intensive requests to saturate servers. Examples include searching an entire website for a common keyword. A simple script can be used to automate these types of requests.
Using its protocol analysis and content switching features, the load balancer can direct flows to various servers based on type and requested content. These features can be configured to queue the most time-consuming and least critical requests or to reject improperly formed http requests or requests that refer to elements that do not exist.
By stepping in between attackers and the servers, the load balancer can block undesirable requests while maintaining traffic to critical applications.
The resources and time to react
Load balancers also save time thanks to their ability to add servers on the fly. When an attack is launched, IT teams can quickly increase the architecture overall capacity, even if old servers have to be reintegrated. The load balancer can also simulate a successful attack by sending the attacker a server error message.
A load balancer cannot by itself, however, stop an attack aiming to completely saturate the network. These attacks are still rare because they require a device or significant financial resources to operate a large number of machines. Only an architecture spread over several sites and/or the use of continuity of service solutions offered by the access provider or a specialized third party can protect against this kind of attack.
In conclusion, while a load balancer’s features can help protect against DoS attacks, only human efforts can maintain this efficiency over time by monitoring the tool’s logs in order to refine configurations and filter settings as threats evolves.
By Baptiste Assmann, Product Manager, HAProxy