How to protect against a DDoS attack
We explain why and how you should guard against distributed-denial-of-service incidents.
The distributed-denial-of-service (DDoS) attack landscape is constantly evolving, and is now routinely populated by hacktivists, trolls, extortioners and even used as a distraction from data exfiltration elsewhere on your network.
According to A10 Networks’ DDoS: A Clear and Present Danger report, the average organisation suffers more than 250 hours of DDoS business disruption each year.
Rather than asking if you can afford the cost of dedicated DDoS mitigation, maybe you should be asking if you can afford not to.
And while DDoS attacks still mainly target large or high-profile organisations, small businesses are increasingly being affected. An Akamai study reported a 180% annual increase in the number of DDoS attacks against small organisations.
We explain how to protect against a DDoS attack on the next page, but first, let’s take a look at why you should.
What is a DDoS?
According to the Oxford Dictionary, a Distributed Denial of Service (DDoS) attack is the the “intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers”.
While technically true, it is a very basic description of a tactic that has evolved to become one of most complex and efficient threats facing a digital economy. To understand how far it has come, you need to first look back at the roots of DDoS attacks.
A very brief history of DDoS
The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater group.
Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the ‘Low Orbit Ion Cannon’, the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point-and-click interface.
DDoS has since evolved further, with two recent attacks demonstrating the ease at which criminals are able to take down targeted servers.
In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff’s Office were inundated with fake calls as a result.
Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a “large volume of these repeated 911 hang up calls”, which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa county.
More details of how the attack was actually carried out can be found here.
The second notable incident it the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It’s thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet.
Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.
More details of the Dyn DDoS attack and Mirai can be found here and here.
Who’s doing it and what do they use?
Don’t think that DDoS is a legitimate form of political protest. Impairing the operation of any computer is a crime.
It’s is also used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.
DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don’t get changed by owners, leaving hackers an easy route to infection and control.
A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.
How do they work again?
DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity.
The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.
What about cost?
That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is US$106,000 if you take everything from detection through to mitigation and customer churn into account. For small businesses, that figure is still a significant US$52,000.
For the attacker it’s less expensive, with DDoS-for-hire services ranging from US$5 for a few minutes to US$500 for a working day.
The bottom line is if you can’t afford your network, website or other digital channels to go down for any significant period of time, you need to prepare for a DDoS attack.
So how can you best mitigate against a DDoS attack? Here’s what you need to know.
Basic safeguards with your router
Rather than over-provisioning, simple things such as bandwidth buffering can help handle traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
This requires getting a business-grade router, if you haven’t already. Then you can put into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.
Incident response planning
The first thing every organisation should do when suspecting a DDoS attack is confirm it. Once you’ve discounted DNS errors or upstream routing problems, then your security response plan can kick in.
What should be in that response plan? First, you need to put together an incident response team that includes managers and team leaders likely to be affected by an outage, as well as your organisation’s key IT and cyber security people. Only by talking to all the right people can you formulate a comprehensive response plan.
Then contact your ISP, but don’t be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Prioritise, sacrifice and survive
Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren’t being taken on the fly and under time pressure. There’s no need to allow equal access to high-value applications – you can whitelist your most trusted partners and remote employees using a VPN to ensure they get priority.
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It’s all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant; they should all be dealt with using layered DDoS defences. These can include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
It’s worth considering investing in DDoS mitigation services if your network or digital channels are critical to your business – and particularly if you’re likely to be a target of a DDoS attack (for example, if you’re a well-known business) – or at least knowing about what’s out there, just in case.
One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.
Cloudflare isn’t the only game in town, though, and many network and application delivery optimisation firms offer DDoS mitigation services.
Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.
Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.
If you’re already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it’s worth seeing if it offers DDoS protection and how much it would cost.
As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it’s worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.
And even if you don’t subscribe to any of these services, knowing who to turn to in an emergency should be part of your response plan.