For DDoS-Hope is NOT a Strategy!
By Jon Murphy, GVP-IT Security, Ocwen Financial Corporation
So pervasive even into corporate boardrooms, the business magazine Forbes, rana primer about the subject in March of 2017; Distributed Denial of Service (DDoS) attacks are on the rise and NOT run of the mill anymore! Before we get started on further discussion of these pernicious attacks, let’s level set with some definitions. From an Information Technology perspective, a denial-of-service attack (DoS attack) is a cyber-attack where the bad actors seek to make a system, website, application, or network resource unavailable for its intended purposes by disrupting the related services (temporarily or indefinitely) on a host connected to the Internet. Related but worse, DDoS is a type of DOS attack where multiple compromised systems (often from around the globe), are used to target a single system, website, application, or network’s legitimate traffic and prevent the legitimate traffic from getting through. Think of a DDoS attack as mobs of anti-Capitalist hooligans, coming from all directions pell-mell charging all the doors to a business not letting legitimate customers enter, thereby disrupting “business as usual”.
"Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism"
A 2016 study from Kapersky and B2B International before last year’s infamous DYN attack reported that a single DDoS attack can cost a company between $52,000 and $444,000! These costs are comprised of factors both to stop the DDoS attack, and/or to pay the ransom that is demanded for it to end. However, the cost range estimate above does not include the costs of industry reputation damage and the loss of customer confidence. I mentioned pervasive before and to punch that point home, consider that according to a 2016 statement by the Department of Homeland Security, over the past five years, the scale of these attacks has increased tenfold!
The bad actors are rapidly evolving their techniques and this makes it difficult to identify the best defense against them. For instance, a highly sophisticated Layer 7 (Open Systems Interconnection–OSI Network Layer) DDoS attack may target just specific areas of a website, making it even more difficult to separate from normal traffic. Consider that a Layer 7 DDoS attack might target a specific website element only (e.g., company logo or a unique page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics while other exploits exfiltrate sensitive information or install ransomware—all the time your IT staff are consumed fighting the DDoS attack.
While bad actors conducting DDoS attacks often target sites or services hosted on high-profile web servers such as e-tailers, banks, or credit card payment gateways, any organization can be hit. Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism. Worse still, as technology advances so do the many ways to launch a DDoS attack. Out on the dark web there are freely available network stressors and DDoS tools that can be acquired, configured, and controlled via botnets and other command and control tools. More advanced tools include nation state-backed “Internet Cannons” that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.
Since DDoS attacks can be extremely complex, there is a need for multiple layers of defense in depth to be able to keep up with the latest threats. While you can hope you are not targeted, that is not a sound strategy. You should proceed as if you will be targeted or hit and take proactive steps now. So, with defense in depth in mind, let’s talk about 10 of those proactive steps, as a combination of strategy and tactics that you could take in advance.
1. Take assessment–objectively and honestly determine your strengths, gaps, vulnerabilities, and threats; hire a qualified 3rd party if necessary
2. Adopt a framework–this is the foundation to your entire enterprise-level security program and DDoS protections within it; NIST, ISO, SANS – pick one
3. Incident response plan–Create and regularly practice an all-hazards plan with a crisis communication plan built-in
4. Solid router and firewall configs– look to expert advice from the OEM and for solid “hardening standards”
5. Traffic threshold monitoring–find out what “normal” amounts of traffic to your sites look like and then create a threshold to alert on
6. Cloud based DDoS defense systems– lots of great vendors; check the think thanks for ratings and ask other colleagues for their experiences
7. Enhanced DNS protection services– same as above; the best spot and stop trouble before it ever gets close to your network
8. IDS/IPS–Use next generation firewalls with built-in intrusion detection and prevention (IDS/IPS) coupled with Border Gateway Protocol (BGP) to stop DDoS attacks.
9. WAF—A web application firewall(WAF) acts like an anti-malware tool that blocks malicious attacks on your website(s). It sits above your application at the network level to provide protection before the attacks reach your server. As a bonus, using a WAF not only protects you against DDoS attacks, but also generally improves application performance and enhances user experience.
10. Upstream filtering–provided by your ISP, includes reputation based blocking - a feature called Unicast Reverse-Path Forwarding to silently drop—or “blackhole”—the bad traffic.
With forethought and planning, you don’t have to rely on hope when it comes to dealing with DDoS.