2.6 How Vulnerable Are You to DDoS?
If you accept that DDoS attacks are a real threat to some Internet sites, the next question likely to come to mind is: How vulnerable is my site? The simple answer is that if your site is connected to the Internet, you are a potential target of a DDoS attack. A DDoS attack can target any IP address and, if the attack is strong enough, it is likely to be successful. Large and small businesses, ISPs, government organizations that rely on networking, and even private individuals are among those who may be damaged by a DDoS attack. The more use you have for the Internet in your enterprise, the greater the damage you will suffer if a DDoS attack takes it offline for an extended period.
Even if your machine sits behind a NAT box,  a firewall, or some other form of protection that prevents arbitrary traffic from being directly routed to it, you may still be vulnerable to the more sophisticated DDoS attacks. A sophisticated attacker can replay or spoof traffic that should go to your node or indirectly subject you to denial of service by overloading the NAT box, firewall, router, or network link.
Further, as we previously discussed, careful system and network administration will not necessarily save you from an attack. While some fixes will prevent vulnerability attacks, your site will still be susceptible to large flooding attacks.
Heavy provisioning, in the form of ample server and network capacity, can protect you from many flooding DDoS attacks, but cannot guarantee your immunity. Any realistic amount of capacity you provide can be overcome if an attacker recruits enough machines to press his attack against you. Reflect on how heavily you would have to provision yourself to withstand a DDoS attack by the million-plus Phatbot network reported earlier.
Nonetheless, there are things you can do to decrease your vulnerability to DDoS attacks and make you a less attractive target. Heavy provisioning helps, since it rules out casual attacks by hackers who have only one or two dozen agent machines at their disposal. Closing vulnerabilities also helps, since it fends off vulnerability attacks. If keeping a low profile on the network is an option for your organization, doing so requires the attacker to find some obscure information before he can launch his attack. There are practical steps to take to strengthen your network and also efficient attack responses that alleviate the DoS effect. We will discuss these in more detail in Chapter 6. Chapter 7 looks at research approaches that may lead to new DDoS defense tools in the future. A number of commercial products have successfully defended against many forms of DDoS attack; we will discuss some of them in Appendix B.
Generally, the evidence suggests that practically all DDoS attacks that occur are not nearly as bad as catastrophic worst-case-scenario thinking suggests they could be. Even some of the high-profile attacks on major Internet sites were not that difficult to handle once the defenders were aware of the nature of the attack and had a little time to respond to it. If you depend on continual Internet availability of your resources, you are almost certainly in danger from DDoS attacks; but with a little knowledge, forethought, and vigilance you can prevent DDoS attacks on your site from becoming disasters.
Even if you are not particularly dismayed by the prospect of being a DDoS victim, another element of DDoS attacks might cause you trouble. To perpetrate a strong DDoS attack, the attacker typically compromises a large number of machines. If your machine is among them, at best you are unwillingly sharing your resources with a criminal who definitely doesn't have your best interests at heart. At worst, you may find yourself partially liable for some of the damages done by his attack, or your vital data may be stolen or damaged by the attacker who has taken over your machine. The value attackers obtain by performing DDoS attacks on others has made such criminals more motivated to compromise ever larger armies of agent machines, meaning that your machine has become more likely to be taken over by an outside party.