A distributed denial-of-service (DDoS) attack seeks to render an online service unavailable to legitimate users by overwhelming the service with dud requests. It differs from a denial-of-service (DoS) attack in the sense that the origin of the traffic isn’t from a single source but rather dozens, hundreds, or thousands of devices.
DDoS attacks have grown in scale, sophistication, and audacity in recent years. One of the biggest was the October 2016 attack on Dyn that hampered access to more than 1,200 domains including high profile websites such as Amazon, Twitter, Airbnb, Spotify, PayPal, Netflix, Reddit, SoundCloud, the Guardian, the Wall Street Journal, and The New York Times.
Withstanding and surviving a DDoS attack: A checklist
DDoS attacks can be devastating in terms of lost sales, lost productivity, and damaged reputation. It’s not possible to prevent a DDoS attack against your technology infrastructure. However, by setting up appropriate controls beforehand, you will be better able to withstand and survive a DDoS attack. This 11-item checklist will tell you how.
1. List vulnerable, high priority resources
Identify the critical resources that are most in need of protection from a DDoS attack. At the minimum, these resources would include your web servers and email servers. The list should be in both electronic and paper form and include the contact details of executive, technology, and security staff within the organization.
It should also contain the contact information of your Internet Service Provider (ISP), website host, cloud service providers, cyber insurance provider, and other critical vendors. You need a physical copy of this record because, in the event of a DDoS attack, the servers and applications this information is located on may not be accessible.
2. Partner with an upstream provider
Onsite protection mechanisms such as firewalls and load balancers are certainly useful in warding off an attack. However, the typical scale and complexity of DDoS attacks make it necessary for you to work closely with upstream providers. If you, for instance, have a 10Gbps connection and are struck by a 200Gbps DDoS attack, your local defenses will likely be overwhelmed in seconds. This attack is best contained at the network provider level where there are resources and expertise in regularly dealing with DDoS threats.
3. Create a network traffic baseline
Study your organization’s network traffic and create a baseline. The better you understand what constitutes normal traffic levels, its origin as well as time and seasonal fluctuations, the easier it will be for you to detect and mitigate an attack. Most anti-DDoS products work on this premise and first understand what normal traffic patterns are so they can be in a better position to determine what is a deviation from the norm.
4. Harden against common DDoS attacks
You don’t want your network to be deemed low hanging fruit due to a failure to implement basic controls. This would only make you a magnet for opportunistic attackers. So, before you implement advanced protection, harden your infrastructure against the most common, well-known types of DDoS attacks such as ICMP floods, SYN floods, UDP floods, GET/POST floods, spoofed-packet floods, and the aptly-named pings of death.
5. Reduce the DDoS attack surface area
Your technology’s attack surface area is the sum total of technology resources in your enterprise that are exposed to exploitation. You can limit the impact of DDoS attacks by restricting the opportunities cybercriminals would have to get through. Reducing the attack surface area would include eliminating needless complexities such as errors in technical policies, redundant or duplicate network rules, excessive access permissions, insufficiently segmented network infrastructure, uncontrolled end-point access, lack of assessment and analytics on security configuration, a lack of traffic flow analysis, and a lack of quantitative risk scores.
All your systems, but especially your Internet-facing infrastructure, should be equipped with the latest security patches and software updates before they are connected to your production environment. This covers not just routers and switches but also server operating systems and enterprise applications.
7. Network segmentation and access distribution
Segment your network and ensure devices on your external edge handling hosted data, information, and inbound traffic are distributed in a way that makes it harder for your systems to be reached and attacked. Leverage points of presence (PoPs) and content delivery networks (CDNs) so that there isn’t a single bottleneck that attackers can focus on for a DDoS attack. CDNs boost performance by distributing content and slashing the distance between the hosted content and a website visitor. Stored cached copies of your content are kept in multiple locations on PoPs. The PoPs have multiple caching systems that ensure content is delivered to nearby visitors to your web application.
8. Scrubbing services
Scrubbing services are specialized cloud-based centers where inbound attack traffic can be diverted to for cleaning. Successfully diverting inbound traffic requires automatically changing underlying routes on the Border Gateway Protocol (BGP) and ensuring the changed routes’ BGP tables are broadcast immediately.
Once the traffic is cleaned and checked, GRE (generic routing encapsulation) tunnels are created to return legitimate traffic back to your enterprise’s network.
9. DDoS stress testing
DDoS stress testing is a security service that helps organizations understand how prepared their infrastructure is for a wide range of DDoS attack vectors. It involves simulating DDoS or very high traffic loads on key resources within a strictly controlled environment and with clear pre-notification to all relevant vendors.
At the end of the stress test, you receive a detailed report documenting areas of weakness and what remediation actions you could take to harden your network.
10. Incident response planning
The different techniques discussed here for surviving a DDoS attack are most effectively deployed when they are part of a coordinated incident response plan. The plan should detail what actions you should take immediately you confirm a DDoS is suspected or underway and who is responsible for the plan’s execution. It should include a crisis communication procedure that explains how word on the incident would be disseminated to employees, customers, shareholders, and the wider public.
To confirm that the response plan is practical and can work, you should perform dry runs several times a year. Update the plan each time a gap is identified during the drills or if a material change occurs in your technology infrastructure. Make sure the plan properly integrates the critical vendors who’ll be needed for a successful response.
11. Employee awareness
Train your staff on the different types of cyberattacks and what signs they should look out for to identify a DDoS attack in its initial stages. Employees must know what they should and should not do when they suspect an attack. There should be an escalation process they can trigger immediately and through which IT staff and senior management are made aware of the unfolding incident within the shortest time.
DDoS attacks: Stay vigilant and survive
Vigilance is fundamental for an organization to prepare for, mitigate, and survive a DDoS attack. Overall, businesses must stay informed of the latest DDoS tactics and trends employed by individuals and entities that seek to do their network harm.
Featured image: Shutterstock