There would have been rioting in the street. I cannot emphasize that enough -- rioting. The LA Riots included business owners standing on rooftops with shot guns… This group would have made the 1992 LA Riots look like a pleasant tea party.

In the days leading up to the World Cup, the content provider that was rebroadcasting games on the Internet in South Korea had racks and racks of idle servers. Why idle? Because they were undergoing one of the most intense DNS DDoS attacks they had ever seen. With a clever set of queries the DNS servers had gone into a tail spin and valid queries weren’t making it through. It didn’t matter at that servers were idle, users couldn’t find the queries on the Internet because DNS wouldn’t resolve.

Since there wasn’t a national state of emergency calls, you can guess that the problem was eventually addressed. My crew was called in with a couple of NetScalers which could bat off the DNS queries while keeping CPU lower than 20%. Happiness reigned down from the sky and the servers lit up with live streaming of the games. Riots turned into glee and there was, quite literally, dancing in the streets when Korea beat Greece 2:0.

The real story, however, has nothing to do with football. It’s the attack itself -- this wasn’t a dumb packet flood a-la the syn-flood of yesteryear, this was an application attack which changes the dynamics altogether. Where packet attacks make netops bring out the firewalls, fully valid application requests are a whole new ballgame where we need to rethink the way we approach network and application security -- failing to do so and it’ll only take a moderate attack to bring down a large site.

There is no cure-all for this. The closest thing we have is leveraging the network infrastructure to manage traffic surges similar to how AC power strips have surge protectors. In addition to basic DDoS protections for the usual suspects around packet floods, DNS floods, TCP connection floods, etc. and application firewalls to protect the more insidious SQL injections, CSRF, Xpath attacks, etc., surge protection can keep servers from spiraling out of control by limiting the number of outstanding requests arriving at a server and queueing the ingress traffic at the edge. Servers stay up and responding with the greatest throughput and attackers tend to get bored and move on.

Thankfully there is magic to do this today -- the magic has been there for years. Heckle your sales engineer for the details if you want to know. Tell him Steve sent you.

We’ve watched security evolve over the years and have understood the threat of application level flood attacks for years. Some of the biggest attacks were application flood attacks -- but they’ve lost their luster in community discussion while slowing moving from concept to reality. This begs the question… is it really growing or am I just seeing a few spot attacks as a fluke? Tell me what you think.

In the mean time, keep an eye out for this. As the authors of Complete Web Monitoring tend to write “#measure”. If you do, post about it and drop me a note and we’ll get a link up here on the Citrix Community pages. Real data rocks.