Hardening your technology infrastructure in preparation for a DDoS attack

A distributed denial-of-service (DDoS) attack seeks to render an online service unavailable to legitimate users by overwhelming the service with dud requests. It differs from a denial-of-service (DoS) attack in the sense that the origin of the traffic isn’t from a single source but rather dozens, hundreds, or thousands of devices.

DDoS attacks have grown in scale, sophistication, and audacity in recent years. One of the biggest was the October 2016 attack on Dyn that hampered access to more than 1,200 domains including high profile websites such as Amazon, Twitter, Airbnb, Spotify, PayPal, Netflix, Reddit, SoundCloud, the Guardian, the Wall Street Journal, and The New York Times.

Withstanding and surviving a DDoS attack: A checklist

Shutterstock

DDoS attacks can be devastating in terms of lost sales, lost productivity, and damaged reputation. It’s not possible to prevent a DDoS attack against your technology infrastructure. However, by setting up appropriate controls beforehand, you will be better able to withstand and survive a DDoS attack. This 11-item checklist will tell you how.

1. List vulnerable, high priority resources

Identify the critical resources that are most in need of protection from a DDoS attack. At the minimum, these resources would include your web servers and email servers. The list should be in both electronic and paper form and include the contact details of executive, technology, and security staff within the organization.

It should also contain the contact information of your Internet Service Provider (ISP), website host, cloud service providers, cyber insurance provider, and other critical vendors. You need a physical copy of this record because, in the event of a DDoS attack, the servers and applications this information is located on may not be accessible.

2. Partner with an upstream provider

Onsite protection mechanisms such as firewalls and load balancers are certainly useful in warding off an attack. However, the typical scale and complexity of DDoS attacks make it necessary for you to work closely with upstream providers. If you, for instance, have a 10Gbps connection and are struck by a 200Gbps DDoS attack, your local defenses will likely be overwhelmed in seconds. This attack is best contained at the network provider level where there are resources and expertise in regularly dealing with DDoS threats.

3. Create a network traffic baseline

Study your organization’s network traffic and create a baseline. The better you understand what constitutes normal traffic levels, its origin as well as time and seasonal fluctuations, the easier it will be for you to detect and mitigate an attack. Most anti-DDoS products work on this premise and first understand what normal traffic patterns are so they can be in a better position to determine what is a deviation from the norm.

4. Harden against common DDoS attacks

You don’t want your network to be deemed low hanging fruit due to a failure to implement basic controls. This would only make you a magnet for opportunistic attackers. So, before you implement advanced protection, harden your infrastructure against the most common, well-known types of DDoS attacks such as ICMP floods, SYN floods, UDP floods, GET/POST floods, spoofed-packet floods, and the aptly-named pings of death.

5. Reduce the DDoS attack surface area

Your technology’s attack surface area is the sum total of technology resources in your enterprise that are exposed to exploitation. You can limit the impact of DDoS attacks by restricting the opportunities cybercriminals would have to get through. Reducing the attack surface area would include eliminating needless complexities such as errors in technical policies, redundant or duplicate network rules, excessive access permissions, insufficiently segmented network infrastructure, uncontrolled end-point access, lack of assessment and analytics on security configuration, a lack of traffic flow analysis, and a lack of quantitative risk scores.

6. Patching

Shutterstock

All your systems, but especially your Internet-facing infrastructure, should be equipped with the latest security patches and software updates before they are connected to your production environment. This covers not just routers and switches but also server operating systems and enterprise applications.

7. Network segmentation and access distribution

Segment your network and ensure devices on your external edge handling hosted data, information, and inbound traffic are distributed in a way that makes it harder for your systems to be reached and attacked. Leverage points of presence (PoPs) and content delivery networks (CDNs) so that there isn’t a single bottleneck that attackers can focus on for a DDoS attack. CDNs boost performance by distributing content and slashing the distance between the hosted content and a website visitor. Stored cached copies of your content are kept in multiple locations on PoPs. The PoPs have multiple caching systems that ensure content is delivered to nearby visitors to your web application.

8. Scrubbing services

Scrubbing services are specialized cloud-based centers where inbound attack traffic can be diverted to for cleaning. Successfully diverting inbound traffic requires automatically changing underlying routes on the Border Gateway Protocol (BGP) and ensuring the changed routes’ BGP tables are broadcast immediately.

Once the traffic is cleaned and checked, GRE (generic routing encapsulation) tunnels are created to return legitimate traffic back to your enterprise’s network.

9. DDoS stress testing

DDoS stress testing is a security service that helps organizations understand how prepared their infrastructure is for a wide range of DDoS attack vectors. It involves simulating DDoS or very high traffic loads on key resources within a strictly controlled environment and with clear pre-notification to all relevant vendors.

At the end of the stress test, you receive a detailed report documenting areas of weakness and what remediation actions you could take to harden your network.

10. Incident response planning

The different techniques discussed here for surviving a DDoS attack are most effectively deployed when they are part of a coordinated incident response plan. The plan should detail what actions you should take immediately you confirm a DDoS is suspected or underway and who is responsible for the plan’s execution. It should include a crisis communication procedure that explains how word on the incident would be disseminated to employees, customers, shareholders, and the wider public.

To confirm that the response plan is practical and can work, you should perform dry runs several times a year. Update the plan each time a gap is identified during the drills or if a material change occurs in your technology infrastructure. Make sure the plan properly integrates the critical vendors who’ll be needed for a successful response.

11. Employee awareness

Train your staff on the different types of cyberattacks and what signs they should look out for to identify a DDoS attack in its initial stages. Employees must know what they should and should not do when they suspect an attack. There should be an escalation process they can trigger immediately and through which IT staff and senior management are made aware of the unfolding incident within the shortest time.

DDoS attacks: Stay vigilant and survive

Vigilance is fundamental for an organization to prepare for, mitigate, and survive a DDoS attack. Overall, businesses must stay informed of the latest DDoS tactics and trends employed by individuals and entities that seek to do their network harm.

Featured image: Shutterstock

Stephen M.W.

Stephen regularly writes about technology, business continuity, compliance and project management. He's worked with companies such as Canva.com, EnergyCentral.com, and Citibank.

Share
Published by
Stephen M.W.

Recent Posts

How to check the VM sizes available on your Azure Region

If you want to check VM sizes available to any given region, Azure Portal is…

41 mins ago

Cybersecurity 101: Close the door on open network shares

If you have open network shares on your network, you are opening the door to…

17 hours ago

Spear-phishing email results in U.S. gas pipeline ransomware attack

A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…

22 hours ago

Planning your Azure reserved instances and flexibility groups

To really lower your Azure costs, you need actionable information. Get info on flexibility groups…

1 day ago

MGM Resorts customer data breach still being utilized by hackers

Data stolen from breaches often live on forever, as appears to be the case with…

2 days ago

Arranging and organizing pages in an Azure DevOps Wiki

If you have set up an Azure DevOps Wiki, there are two ways to organize…

2 days ago