According to a study by Akamai Technologies, distributed denial of services (DDoS) attacks increased by 138% in 2016. If that wasn’t alarming enough, Deloitte Global predicts that in 2017 there will be 10 million DDoS attacks this year with an average size of 1.25 Gbps to 1.5 Gbps.
With DDoS attacks increasing in size and frequency, it’s not surprising that almost every week I consult with customers that have become victims of these attempts to render online services unavailable by overwhelming them with traffic from multiple sources. No company seems immune, with customers including both small to large organizations, and representing healthcare, government, insurance, manufacturing, banking, and wide range of other industries. In most cases, I become involved to help mitigate an attack on the fly or to clean up from the fallout.
One thing I’ve observed is that once a company has suffered a DDoS attack, there is a brief organizational focus on preventing future occurrences. Then, it is back to business as usual with little or nothing done.
Part of the problem is there are not many “easy button” ways of mitigating and preventing DDoS attacks — at least that most companies can stomach. DDoS mitigation services, machine learning, and the use of huge amounts of Internet bandwidth are effective options, but they aren’t cheap.
However, there are some simple things that can be done — regardless of budget or in-house technical expertise, including these four:
Create a Risk Profile. One of the first steps in minimizing your organization’s risk of a DDoS attack is to create a risk profile. Start by answering the following questions:
Why would we be a good candidate to attack?
Are we in a high-risk industry such as online gaming, software and technology, financial services, etc.?
What do we have that someone might want?
What enemies or aggressive competitors do we have?
What activities are happening on our systems that might make us a target?
How would a DDoS attack affect our business?
What are our potential threat vectors and how should they be characterized and prioritized?
How long could we go without systems affected by a DDoS attack?
Develop an Incident Response Plan. An incident response plan is essential for helping your organization respond quickly if a DDoS attack occurs. To create one:
Identify what your critical systems are and understand how to tell if they are being attacked. Signs of a DDoS attack may include, but aren’t limited to: unusually slow network performance opening files or accessing websites, the unavailability of a website, or a dramatic increase in the number of received spam emails.
Request any relevant documentation on DDoS attack mitigation and prevention from your security or firewall vendors, or managed security providers.
Compile a list of people to help in the event of an attack. Include members of your company’s executive management team, your internet service provider (ISP), internal and external information security experts, and law enforcement professionals, including from the FBI.
Determine your strategies for dealing with an attack. Can you shut down services or implement your DR plan? Can your ISP block the traffic? If so, what does it need from you to make it happen?
Employ Your Existing Security Capabilities. Chances are you already have DDoS mitigation and prevention capabilities or access to them via a provider. Take time to understand what you have, what you can do, and what others can do for you.
The security appliances you currently use may have features to assist with DDoS detection and prevention. Know what they are and how they work. Enable them if aren’t already on.
Many ISPs can help with DDoS mitigation and prevention by blocking traffic to or from specific Internet hosts. Check with your ISP to learn about the options.
Taking hosts offline or moving them to disaster recovery facilities can mitigate issues. In addition, you can shed certain services that are being attacked to protect the services that aren’t under attack. That will require triaging your services and knowing which ones are the most important.
Plan Your Defense. Take steps to better defend your company against DDoS attacks. Among them:
Implement a routing protocol like Border Gateway Protocol (BGP), so you can block or re-route traffic yourself. This will allow you to send routing information to your service provider dynamically and have more control over the situation.
Tap the expertise of others. Attend local ISC2 events and speak with other companies about what works and what doesn’t. Involve your network service providers in your planning, testing, and event management. Work with law enforcement, including the FBI. The InfraGard program, a partnership between the FBI and members of the private sector, provides resources to help you stay abreast of attack events and learn about emerging solutions without vendor bias.
Move your security perimeter as far from your network as possible, into your services providers’ colocation data center or to a security solution hosted by your provider if possible. This transfers the problem of DDoS attacks into the provider’s network.
Move web-based services to the cloud. Most cloud services employ DDoS mitigation technologies and best practices. They also have more internet bandwidth available so they are better able to absorb larger DDoS attacks than end users can.
Make sure you understand what your role is in defending against DDoS threats, what the service provider’s role is, and where the demarcation point is. I like to use the following matrix to determine if all areas are addressed and who is responsible.
DDoS prevention can be a complicated, expensive endeavor. It doesn’t have to be when you work with US Signal. US Signal has extensive experience in dealing with DDoS attacks. Our team can help your company develop a strategy best suited to its business needs and budgetary parameters, drawing from our robust portfolio of customizable cloud and colocation solutions, data protection services, and network services. To learn more now, call 866.2. SIGNAL or email [email protected] .