Service Protection

This chapter explains some of the risks associated with Internet hosting, and how to use the Traffic Manager to mitigate those risks to your services.

Classes of Risk

Denial of Service

A “Denial of Service” (DoS) attack is characterized by a malicious attempt to prevent legitimate use of a service. This could take the form of attempting to flood a network, or disrupt connectivity between machines. It may be designed to consume the resources normally available for specific users or applications, for example exhausting the available CPU, bandwidth or storage of a server or cluster of servers.

DoS attacks are based around exploiting design weaknesses, flaws in the operating system, or services with unbounded access to a resource such as CPU time, disk or memory. For example, a malicious attacker may find a way to craft a request to a database-driven Web site that requires extremely intensive SQL operations to complete. This could effectively deny access to the database for the duration of the query.

DoS attacks that are delivered through exposed services such as websites are the most common class of risk. The Traffic Manager is designed to assist in mitigating the effects of such attacks, or preventing them altogether.

Web Worms and Viruses

Vulnerabilities in operating systems have led to many Internet “worms” which propagate by installing themselves, using the weakness as a point of entry. For example, a worm can install a payload sufficient to propagate itself further. Worms also affect desktop PCs. The frequency of this class of attack is increasing, and is often part of a planned “Distributed Denial of Service” (DDoS) attack in which the compromised machine plays a part.

In addition to worms, users of desktop PCs are exposed to risks from viruses, often received by email or from unscrupulous websites. These viruses may install services on the PCs which can be controlled remotely.

Distributed Denial of Service Attacks

Distributed Denial of Service (DDoS) attacks use large numbers of client machines, often “recruited” after being compromised by worms or viruses. A malicious attacker can control these clients remotely, making the combined impact of a focused attack on an individual service provider or business far greater than a conventional DoS attack. Mitigating distributed attacks is far more challenging than handling a DoS attack, as it requires the cooperation (for example, outbound packet filtering) of other ISPs to fully address the issue.

The Traffic Manager can provide protection against basic DDoS attacks as well as DoS attacks, provided network bandwidth is not flooded and provided there is sufficient capacity to manage the incoming connections.

Malformed HTTP Attacks

Even correctly firewall-protected Web servers must still present their public services on port 80 to the Internet. HTTP’s client-server architecture means that clients can send data to these Web servers freely through port 80. This information can be crafted to maliciously overload or subvert a server. Attacks exist where the request is malformed in such a way as to exploit bugs and compromise the Web server to give control to a remote attacker.

Firewalls and Other Security Measures

Note that the Traffic Manager is not a firewall; it is intended to be used in conjunction with a dedicated firewall. See System Security for a full discussion of secure operation.