Syspeace and DDoS attacks
We had a discussion the other day about Syspeace and if it would help in a DDoS attack.
Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be.
This can be accomplished in numerous ways.
If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway. Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports soo if you other services running on it, they would also be blocked for the attacker.
DOS/DDoS by using Brute force / dictionary attacks and how Syspeace would react
The two different methods in the brute force/dictioanry attack department would be the following.
Single login attempt method
If the same 10 000 copmuters try to login to your server (an Exchange weblogin, RDS/ Terminal Server, Sharepoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.
If each and one of these 10 000 computers only tries once to login , Syspeace wouldn’t react since that would esseantially mean that all logins (or IP addresses essentialy) would be blocked at the first thus disabling anyone to login.
If you’re a hosting provider or outsouring provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacka partially handled by Syspeace.
However, if you’re a Cloud Service provier this won’t work in reality since your customers could be coming from any IP address anywhere.
Multiple login attempt method
The second method would be to have each and everyone of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.
Bare in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)
To a certain extent , the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.
If you don’t have Syspeace at all it’s not unlikely you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies. Here’s a previous blogpost on why that is
Future features in Syspeace
One of the things we’ve already released are public APIs for customers with their own applications, webapplications and loginforms so we enable them to use the Syspeace engine to easily handle brute force attacks. For more information on how to implement it on your website or appliaction , please refer to the Syspeace Detector API page
We do have some ideas on how also to have Syspeace help in the first scenario (1 login/computer attack) but we’ll get back to you on that after we’ve implemented quite a few new more features and functions that’s already in our roadmap.
To have your Windows servers protected against malicious login attempts and have it set up in minutes without changing your infrasctructure , please visit the Syspeace download page
By Juha Jurvanen