DDoS attacks are increasing – here’s how to fight back
The distributed-denial-of-service (DDoS) attack landscape is constantly evolving, and is now routinely populated by hacktivists, trolls, extortioners and even used as a distraction from data exfiltration elsewhere on your network.
According to the A10 Networks ‘DDoS: A Clear and Present Danger’ report, the average organisation suffers more than 250 hours of DDoS business disruption each year.
Rather than asking if you can afford the cost of dedicated DDoS mitigation, maybe you should be asking if you can afford not to…
So how can you best mitigate against a DDoS attack? Here’s what you need to know.
Back to basics
Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
DDoS response planning
The first thing every organisation should do when suspecting a DDoS attack is confirm it. Once you’ve discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.
What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.
Then contact your ISP, but don’t be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Prioritise, sacrifice and survive
Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low value traffic to keep high value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren’t being taken on the fly and under time pressure. There’s no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It’s all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
It’s worth considering investing in DDoS mitigation services if you’re particularly likely to be a target of a DDoS attack (for example, if you’re a large organisation) or at least knowing about what’s out there, just in case.
One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.
Cloudflare isn’t the only game in town, though and many network and application delivery optimisation firms offer DDoS mitigation services.
Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.
Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.
If you’re already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it’s worth seeing if it offers DDoS protection and how much is would cost. As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it’s worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.
Source : itpro