Can Your Network Handle the Next DoS Attack?
Recently, a distributed denial of service (DDoS) attack caused by Internet of Things (IoT) devices brought the Internet to its knees over a large area of the United States. The use of the default passwords on these devices made it easy to spread a virus that overloaded networks.
IoT Devices in Your Organization
How many employees do you have at your organization? 100? 500? More? How many employees have a smartphone with its Wi-Fi connected to the company Internet? How many have fitness devices, personal laptops, or tablets? If yours is a high-tech company, odds are some of your employees have brought their latest “toys” to work: connected night lights, voice-controlled speakers, smart watches, web cameras, even a smart herb garden. With most of these devices, the user has no control over credentials or connection information—it’s built into the firmware. Each of these devices keep constant contact with your network—it’s no wonder IT teams are concerned.
Flooding and Denial of Service
In a typical network connection, a computer "asks" a server to authenticate it, the server returns the authentication approval to the computer, the computer acknowledges this approval, and then the computer is allowed to connect to the server.
In a denial of service (DoS) attack, a computer sends multiple authentication requests to the server. All requests have false return addresses, so the server can't find the computer when it tries to send the authentication approval. When the server closes the connection, the DoS attacker sends a new batch of forged requests, and the process begins again, causing the server to be unavailable for legitimate connections.
A common method of blocking a DoS attack is to set up a filter on the network that looks for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the server from being overloaded by malicious attacks.
Banning Suspicious IP Addresses from Connecting
With a managed file transfer (MFT) platform that offers auditing and reporting, you can have visibility into your network to understand what is going on. By understanding how data moves around in your organization, you can identify any possible issues with your file transfer processes and make your business more efficient. However, with the speed at which DoS attacks occur, visibility only helps forensic discovery after detection. If you can ban a disruptive IP address before it becomes an issue, the bad actors will have harder time taking down your network.
Globalscape Enhanced File Transfer™ (EFT™) is an advanced MFT platform designed to give you unparalleled visibility across every aspect of managed file transfer, with a real-time status viewer and a reporting module that combines granular detail with remarkable ease of use. EFT also has a built-in anti-flooding and auto-ban system intended to prevent DoS attacks by identifying possible flooding based on user-activity density (occurrences per second).
By default, all IP addresses are granted access to EFT. EFT allows you to grant or deny access to only one specific IP address or a range of IP addresses.
To protect against DoS attacks, EFT can:
- Disconnect and ban the IP addresses of computers who send an excessive number of invalid commands
- Ban IP addresses, permanently or temporarily, that may potentially be associated with a DoS attack
- Monitor connection patterns, track each computer's activity density, and then ban IP addresses with unnaturally dense activity
- Ban an IP address when a specified number of invalid login attempts occur over a specified period when a non-existing username was supplied
Why Only Temporarily Ban an IP Address?
The reason for a temporary ban is that attack identification is not fool proof and there can always be a chance of a mistake. If EFT is allowed to decide which IP address to ban, we risk that some users will be banned by mistake when it might not be appropriate to ban that user permanently.
If you choose to ban IP addresses temporarily, the IP address's access to EFT is restricted for a minute or two, based on the EFT security setting you specify. Temporarily banning users means that if EFT identifies an ordinary but very active user as a threat, the user will soon be able to reconnect. When you ban IP addresses temporarily, the level of security you set for EFT indicates both the number of seconds the user can attempt to occupy all of EFT's resources before being banned and the number of seconds the user is banned. The higher the security setting, the less time before the user is banned and the longer the user remains banned.
If you elect to permanently ban the IP addresses of users whose activity fits the pattern of an attack, those users are immediately banned when they exceed the number of connections allowed for the security level. If EFT has banned a user to whom you want to allow access, the administrator can delete the address from the IP address ban list.
What does this have to do with IoT?
As we mentioned earlier, a DoS attack caused by IoT devices brought down networks over a large area of the United States. If you have a policy that allows IoT devices to be used in your organization, you need to know who and what are connecting to your network and what they’re doing while they’re connected. An MFT platform like Globalscape EFT can not only provide that visibility, but also prevent those IoT devices from being used to bring down your network through banning of suspicious IP addresses.
Let Globalscape’s EFT platform provide that safety net for your network.
Contact us to get more information or request a free trial.