DDos got you? Go on the offensive

The threat posed by distributed denial of service (DDoS) attacks is ever-growing and is something that continues to be a topic which interests and concerns businesses in equal measure. MARTIN WALSHAW outlines 10 steps on fighting these attacks.

In a typical DDoS attack, a cybercriminal finds and exploits vulnerability on the system he wishes to attack, such as an online store. He instructs this ‚Äòattack master’ to infect other system elements with malware, which then “gang up” on the specified target. The hacked machines flood the target with traffic, which overwhelm the system and force it to shut down, denying access to the system by intended users. The online store is unable to trade while the attack is ongoing.

As the lines between the professional and social use of technology fade, it is even more important for us to recognise the significance of this type of attack, their probability and the damage they can do.

Furthermore, the decreasing number of bots now available means that hactivists and other cybercriminals are finding new ways in which to amplify their attacks and, as a result, DDoS attacks are becoming a more popular vector.

To the uninitiated, the nature of a DDoS attack can be a scary, stressful ordeal. It’s not surprising either: slow network performance or website downtime can be costly for businesses such banks, which are typically targeted with attacks like this. However, try not to panic. The IT department or tech guys should follow these steps to maximise success in fighting an attack:

1.tVerify that there is an attack – Rule out common causes of an outage, such as domain name system (DNS) misconfiguration, upstream routing issues and human error.

2.tContact your team leads – Gather the operations and applications team leads who need to verify which areas are being attacked and to officially confirm the attack. Make sure everyone agrees on which areas are affected.

3.tPrioritise your applications – Make decisions to keep your high-value apps alive. When you’re under an intense DDoS attack and you have limited resources, focus on protecting revenue generators.

4.tProtect remote users – Keep your business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Addresses that appear on a whitelist are essentially immune to email blocking programs – all messages from these addresses will be allowed through the firewall and will not be marked as spam. Populate the list throughout the network and with service providers as needed.

5.tClassify the attack – What type of attack is it: Volumetric, with a high amount of traffic coming in to your system or is it slow and low, causing your performance to drag? Your service provider will tell you if the attack is solely volumetric and may already have taken remediation steps.

6.tEvaluate source address mitigation options – For advanced attacks that your service provider can’t manage it is best to block small lists of attacking IP addresses at your firewall. Block larger attacks with geolocation, so if one of the addresses ends on ‚Äòco.uk’, you can blog all mail coming from this area.

7.tMitigate application layer attacks – Identify the malicious traffic and whether it’s generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with specific responses, which may be provided by your existing solutions provider.

8.tLeverage your security perimeter – Still experiencing issues? Focus on your application-level defences: login walls, human detection, or Real Browser Enforcement.

9.tConstrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit is a last resort – it can turn away both good and bad traffic. Instead, you may want to disable or blacklist an application.

10.tManage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you’re being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.

With the growth of the internet and the fast-developing digital era that we’re entering, the DDoS threat has never been greater. As the threats increase, and as more sophisticated attacks take place, it’s important to increase awareness and understanding and put necessary steps, like these, in place to protect against them.

* Martin Walshaw is a senior engineer at F5 Networks

* Follow Gadget on Twitter on @GadgetZA