5 Steps to Help Mitigate and Prevent DDoS Attacks
Ransomware may dominate the headlines when it comes to cyberattacks, but denial of service (DoS) attacks – distributed denial of service (DDoS) attacks, in particular – continue to make their marks too. They’re increasingly a significant threat to businesses of all sizes. After all, if companies like Amazon Web Services and GitHub fall prey to DDoS attacks, is anyone safe?
The financial damage resulting from a DDoS attack can be severe. One study noted that an attack can cost a company over $1.6 million. Making matters worse, the ease and relative low cost of launching DDoS attacks have even made them an attractive tool for ransomware gangs. According to the Dark Web Price Index 2020, a targeted distributed denial-of-service (DDoS) attack goes for as little as $10 per hour or $60 for 24 hours.
What are DoS vs. DDoS Attacks?
DoS attacks are just what their names imply: an attempt by attackers to deny access to a networked system, service, website, application, or other resource. While an attack originating from a single source is a DoS attack, attacks emanating from multiple sources but coordinated from a central point are called DDoS attacks. Larger than DoS attacks, they can be significantly more devastating and are difficult to detect and stop.
Attackers flood a target system with a barrage of malicious or nuisance requests, or to abuse a protocol or inherent vulnerability. By tying up all the available network bandwidth or resources on the targeted system, the attackers make it so the system can’t respond to requests – literally denying service.
To get the bandwidth or processing power needed, attackers often use botnets, hundreds or thousands of internet-connected computers that are infected with malware. Owners of the infected computers typically don’t even know they’ve been compromised. Because the attack originates from many different systems that appear to be legitimate, it’s easy for attackers to hide their identity.
DDoS Attack Types
There are dozens of different types of DDoS attacks, but the three most common categories recognized industrywide are volumetric, protocol, and application layer.
- Volumetric attacks, also known as floods, are the most common type. They typically send a massive amount of traffic to the targeted victim’s network with the goal of consuming so much bandwidth that users are denied access.
- Protocol attacks deny service by exploiting weaknesses in or the normal behavior of protocols — typically OSI layer 3 and layer 4 protocols such as ICMP (Internet Control Message Protocol), TCP (Transport Control Protocol), UDP (User Datagram Protocol), and others. The goal is to exhaust the computational capabilities of the network or intermediate resources, resulting in denial of service.
- Application layer attacks, also known as OSI layer 7 attacks, go after web servers, web application platforms, and specific web-based applications rather than the network. These attacks can target known application vulnerabilities, the underlying business logic of an application, or abuse higher-layer protocols like HTTP/HTTPS (Hypertext Transfer Protocol/Secure) and SNMP (Simple Network Management Protocol). They often use less bandwidth than other types of attacks. Because they don’t always display a sudden increase in traffic, they can be harder to detect.
Steps to Mitigate DDoS Risks and Damages
The question everyone asks is how to stop a DDoS attack. Unfortunately, there’s no “easy button” for mitigating and preventing DDoS attacks. However, there are some simple things that can be done, including these five:
1. Create a Risk Profile.
One of the first steps in minimizing your organization’s risk of a DDoS attack is to create a risk profile. Start by answering the following questions:
- Why would we be a good candidate to attack?
- Are we in a high-risk industry such as online gaming, software, and technology, financial services, etc.?
- What do we have that someone might want?
- What enemies or aggressive competitors do we have?
- What activities are happening on our systems that might make us a target?
- How would a DDoS attack affect our business?
- What are our potential threat vectors and how should they be characterized and prioritized?
- How long could we go without systems affected by a DDoS attack?
2. Develop an Incident Response Plan.
An incident response plan is essential for helping your organization respond quickly if a DDoS attack occurs. To create one:
- Identify what your critical systems are and understand how to tell if they are being attacked. Signs of a DDoS attack may include, but aren’t limited to unusually slow network performance opening files or accessing websites, the unavailability of a website, or a dramatic increase in the number of received spam emails.
- Request any relevant documentation on DDoS attack mitigation and prevention from your security or firewall vendors, or managed security providers.
- Compile a list of people to help in the event of an attack. Include members of your company’s executive management team, your internet service provider (ISP), internal and external information security experts, and law enforcement professionals, including from the FBI.
- Determine your strategies for dealing with an attack. Can you shut down services or implement your DR plan? Can your ISP block the traffic? If so, what does it need from you to make it happen?
3. Employ Your Existing Security Capabilities.
Chances are you already have DDoS mitigation and prevention capabilities or access to them via a provider. Take time to understand what you have, what you can do, and what others can do for you.
- The security appliances you currently use may have features to assist with DDoS detection and prevention. Know what they are and how they work. Enable them if aren’t already on.
- Many ISPs can help with DDoS mitigation and prevention by blocking traffic to or from specific Internet hosts. Check with your ISP to learn about the options.
- Taking hosts offline or moving them to disaster recovery facilities can mitigate issues. In addition, you can shed certain services that are being attacked to protect the services that aren’t under attack. That will require triaging your services and knowing which ones are the most important.
4. Plan Your Defenses.
Take steps to better defend your company against DDoS attacks. Among them:
- Implement a routing protocol like Border Gateway Protocol (BGP), so you can block or re-route traffic yourself. This will allow you to send routing information to your service provider dynamically and have more control over the situation.
- Use firewalls and intrusion detection systems to monitor and analyze network traffic; use anti-virus solutions to curb malware infections; and use load balancing and redundancy to help maintain availability.
- Tap the expertise of others. Attend local ISC2 events and speak with other companies about what works and what doesn’t. Involve your network service providers in your planning, testing, and event management. Work with law enforcement, including the FBI. The InfraGard program, a partnership between the FBI and members of the private sector, provides resources to help you stay abreast of attack events and learn about emerging solutions without vendor bias.
- Move your security perimeter as far from your network as possible, into your services providers’ colocation data center, or to a security solution hosted by your provider if possible. This transfers the problem of DDoS attacks into the provider’s network.
- Move web-based services to the cloud. Most cloud services employ DDoS mitigation technologies and best practices. They also have more internet bandwidth available so they are better able to absorb larger DDoS attacks than end users can.
- Make sure you understand what your role is in defending against DDoS threats, what the service provider’s role is, and where the demarcation point is.
5. Use Security Best Practices.
Implement technical and administrative controls, as well as all appropriate security best practices such as:
- Ensuring all critical services have redundancy.
- Not exposing databases or database caching systems to the internet without first hardening them and enforcing strong access control.
- Scanning network ports and services that are open to the internet as frequently as possible.
- Prioritizing and promptly applying patches.
- Shutting down any unused ports.
- Using real-time threat intelligence feeds to alert you to bad IP addresses that should be blocked.
- Employing rate-limiting to set a predetermined threshold for requests until you can determine the reason for traffic anomalies.
Talk to US Signal
As is the case with most IT security matters, dealing with DDoS attack prevention and mitigation can seem complex and overwhelming. It doesn’t have to be when you work with US Signal. US Signal has extensive experience in dealing with DDoS attacks and other types of cyber-threats. Our team can help your organization develop a strategy best suited to its business needs and budgetary parameters, drawing from our robust portfolio of customizable cloud solutions and security services. To learn more now, call 866.2.SIGNAL or email [email protected].