A distributed denial of service attack is a malicious attempt to make machines, applications or other network services unavailable to legitimate users. There are many types of DDoS attacks including SYN and UDP floods, reflected attacks, application attacks and multi-vector attacks that employ several types of attacks in combination. In the past, it was typical for businesses to accept the risk of DDoS attacks since they were relatively rare and small scale. But that has all changed in recent years; both the number and scale of DDoS attacks have increased dramatically. Because of this trend many savvy businesses have changed their philosophies and taken steps to mitigate DDoS attacks. Unfortunately, this trend is far from universal. Many businesses remain complacent and have done little or nothing to prepare for DDoS attacks. Is your business one of these and if so, what should you do about it?
The first step I recommend taking is to perform a basic risk and impact study on the subject: how likely is it that my business will be attacked, and if it is, how badly will it hurt us? If the answer to either of these questions is unacceptable, then you should certainly move on to step two and start the process of incorporating DDoS into the incident response plan. In a nutshell – develop the policy language, include likely DDoS attack indicators and attack scenarios in the plan, develop specific strategies to counter these attacks, assign responsibilities to specific individuals and practice the plan. Sounds easy, but how do we go about doing that you may ask. Here are some basic tips:
• Contact your ISP. Get their advice, find out about their experience and capabilities with DDoS attacks, find out about any anti-DDoS tools they might have available and their cost, etc. If you don’t do anything else, at least take this step. You probably won’t be able to do much at all to counter a DDoS attack without your ISP’s help.
• Ensure that your team is fully aware of all the capabilities your present equipment and infrastructure has for handling DDoS attacks.
• Ensure that your IR and IT teams are aware that DDoS attacks are sometimes persistent and can last for days, weeks or more. Make plans for keeping your reactions strong and timely.
• Employ centralized logging and ensure that proper monitoring procedures are in place and reviewed.
• Make sure you maintain a whitelist of source IPs and protocols, major customers, critical service providers and partners that must be allowed access during attacks.
• If you are at high risk and impact levels for DDoS attacks, consider improving your infrastructure and/or employing specialized DDoS services or products. Cloud based servers, for example, have great capabilities for fighting DDoS.
• Ensure that applications, networks and operating systems that may be targeted in DDoS attacks are fully hardened.
Here’s hoping that no one out there targets your business with a major DDoS campaign. But if you think the possibility is high, better take a tip from the Boy Scouts and be prepared!