/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsDistributed denial of service (DDoS) attacks are increasing at an alarming rate worldwide. They are not just targeted at large organizations but also at SMEs and individuals. In March 2013, a DDoS attack on Spamhaus, an organization that monitors and blacklists potentially dangerous IP addresses, was reportedly the largest attack in the recent past.
With this trend, many companies are getting worried and the need for defending their assets has risen. According to an IDC report, the global market for cyber security solutions will grow by 18.2% CAGR to reach $870 mn by 2017. Moreover, according to the same report, 25% of bot-infected computers in India were found in tier-2 cities. With organizations across sectors slowly realizing the impact of cyber threats, even the Government of India is getting more stringent regarding cyber security measures. The government in October 2012 announced its plans to invest $200 mn in the next four years to strengthen its cyber security infrastructure.
Even individuals with minimal technology skills can orchestrate DDoS attacks. Low-cost botnet rentals are advertised on the internet, with one site offering botnets capable of launching DDoS attacks of 10-100 Gbps for as little as $200 per 24 hours. While many organizations are increasingly concerned about the DDoS threat, few organizations have specific DDoS protection mechanisms in place. Those that do address DDoS often rely on approaches that lack the capacity and agility to mitigate attacks rapidly and preferably before they reach the network. To help mitigate the risk posed by DDoS attacks on businesses, here are a few best practices.
DEALING WITH DDoS
At the most basic level, successful DDoS mitigation involves knowing what to watch for, and accordingly get your service provider to create synthetic events based on system logs that indicate malicious or inappropriate internal activity. Develop a centralized monitoring capability that allows you to see your entire network and traffic patterns all in one place; limit traffic oversight to a small team for consistency and continuity of oversight. To establish a baseline for normal traffic entering your organization, know what types of traffic come in (eg, SMTP, HTTP, and HTTPS), when (eg, every Friday, early morning, the first of each month), from where, and how much. Establish a rolling 13-month (at least) view of what normal traffic looks like and incorporate this information into a correlation engine for threat detection, alerts and reporting.
Conduct ongoing tracking and analysis of attack patterns around the world to identify and validate potential/emerging attacks more. Use existing intelligence to look for pre-defined deviations (ie, analyze signatures) that signal a DDoS attack.
THE FOUR-PRONGED STRATEGY
DDoS can be managed only by a clear well-defined strategy. If you are a CISO or a person incharge of manging security side of the digital backbone in your enterprise, here are some pointers that might help you deal with DDoS more proactively.
Â
DEFINE A CLEAR ESCALATION PATH
Take into account internal infrastructure, services, and applications as well as the resources of customers and partners that may be impacted. If necessary, craft individual standard operating procedures (SOPs) to address specific types of attacks or specific types of resources being attacked. Review SOPs on a regular basis and conduct periodic ‘fire drills' to make sure SOPs are up to date and functioning properly.
Make sure that DDoS mitigation, as it relates to business continuity, is a universal goal. Identify functional silos and areas of overlapping ownership or responsibility. Prepare for downtime and understand which systems are vital to your business, and then develop and test contingency plans for short-term (eg, 1 hour), medium-term (eg, 24 hours), and long-term (eg, multiple-day) network or service outages.
USE LAYERED FILTERING
The goal of DDoS mitigation is to exclude only unwanted traffic while allowing legitimate traffic to enter the network with minimal delay. The most effective means to accomplish this is to use a multi-layered verification process that employs all the practices mentioned here. Filter traffic in layers and inspect incoming packets using signature analysis, dynamic profiling (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technology to progressively filter harmful traffic upstream of the network. Ideally, legitimate traffic should continue to route through the network with little to no impact on end-users, even during a large attack.
BUILD SCALABILITY AND FLEXIBILITY
To make sure systems will function properly under attack, organizations must have a highly scalable, and flexible infrastructure. On-demand capacity includes bandwidth as well as the hardware processing power and scalability required to process the traffic load traveling over the bandwidth. Over-provisioning to absorb high-magnitude attacks, for example, requires significant expenditures for extra bandwidth that may be needed rarely, if ever, with no guarantee that the over-provisioned amount will suffice in today's environment. To protect against known vulnerabilities in any single vendor's DDoS mitigation applications, source tools from a variety of vendors and use a distributed model to create and maintain redundancy for high-value applications and services.
ADDRESS APPLICATION AND CONFIGURATION ISSUES
DDoS attacks have evolved from brute force attacks at the network layer to more sophisticated, difficult-to-detect attacks at the application layer. Attackers can learn the acceptable threshold of activity for an individual application, and then sneak in as an unperceived increase in network traffic. In the overall context of the network, the increased traffic is not an issue, but if the targeted application has a low tolerance for high-volume traffic, the attack can take down the application. Know what each application does, how often it is used, what each application request looks like, and what the normal transaction levels are for each application- critical component. Determine the traffic threshold at which an application becomes flooded. DDoS attacks are not just a threat to large organizations but a threat to the internet as a whole.