By Chris Holden, Information Security Consultant, for Cysec-Rco:
Distributed Denial of Service Attacks are becoming more common place, and the risk becomes higher as more and more Internet connected devices come online. DDoS attacks are cheap to launch for an attacker and can be very difficult to stop. They can also cost a large amount of money in lost revenue and productivity. Here are five very basic (and not exhaustive) ways to help mitigate the threat:
- Be aware that you are a target
A number of companies have thought that they were not vulnerable to this kind of attack purely by not being an obvious target. However, it is not always obvious why hacktivists attack a particular target until after the fact and, for cyber-criminals, extortion is always a motivation. Add to that the good old-fashioned bored script kiddie with a botnet and nowhere better to point it. It is better to assume that you are a potential target and plan accordingly.
- Plan for the worst
Make the assumption that you will be attacked at some point and plan for it – add DDoS attacks into your cyber incident response plan. Make sure your plan covers what to do in the case of a mild attack through to a severe attack. In the case of a mild attack you might absorb it, using excess resources to ride it out with a minimal impact on your business, but increased vigilance in case the attack escalates. In the case of a severe attack you might want to reduce services to the minimum possible, enabling you to use the resources you have to their maximum benefit. If possible, make one of your IT staff the DDoS captain, who knows how to monitor for a DDoS, and what to do in the event of an attack to put your plan into action.
- Be prepared
Normal network hardening should be part of your general cyber security plan anyway, but less obvious things like overprovision of bandwidth should be considered it might give you crucial time in the event of an attack. This is especially important if the attack is against your website and you self-host. If you have an external host for your website and it is targeted, that can actually be an advantage as not only are data centres likely to have enough bandwidth to give you time to make a response, they might also have experience of dealing with DDoSs. They are also likely to have higher capacity routers.
As part of your general hardening, as well as the givens such as ensuring both software and firmware are patched across the board, make sure your firewall is configured to block malformed traffic (reducing risk of Ping of Death style attacks); block inbound ICMP (unless you actually need inbound ICMP of course); use ingress filtering (limits IP spoofing); disable all unnecessary services; and enable router throttling on your gateway router (which can help gain valuable time in the event of an attack).
- How do you detect that you are under attack?
The simple answer is monitoring. As best as it is possible know what the normal network traffic footprint is at any time of day, or day of the week. It helps to know what a sudden increase in legitimate traffic looks like so that when there is a sharp increase that doesnt look right you can identify whether you need to take action or not. IDS/IPS systems are often not much help in this kind of attack. However source IP reputation filtering, if available to you, can be of assistance by filtering traffic from untrusted IP addresses.
- Get all available help, and consider specialist help
Consider getting help as part of your plan. If you discover that you are under attack you should certainly inform your ISP or provider as soon as possible. Let them know why you think you are under attack and ask for help. If it is your web site that is under attack and it is hosted by another company, inform them, and ask for help.
If the attack cannot be mitigated by your own means, or with the help of your ISP or hosting company you might consider calling in a DDoS specialist. Naturally, this will depend on the economics of the situation. It might be cheaper to wait an attack out than pay a third party specialist to stay online. If, however, staying online with zero downtime is absolutely crucial to your business it might be worth considering a subscription to a DDoS protection and mitigation service.