How to Prepare for a DDoS Attack

With much of today’s commercial activity conducted via the Internet, it’s no wonder that corporate entities find themselves the target of assault by online intruders.

 

Cyber-attacks are now an accepted part of life – and it’s up to administrators and security officers to establish how best to prepare and defend their organisations against them.

DDoS? 

Distributed Denial of Service or DDoS describes an attempt by malicious attackers to render a single computer, website, network server, or other network resource inaccessible to its subscribed or intended users. A DDoS attack generally involves an attempt to disrupt or disable the services provided by a host connected to the Net.

 

Distinct from other types of cyber assault, a DDoS attack targets the limitations of an IT system. Large organisations may be attacked using tools which are freely available and easy to use.

 

A DDoS attack is typically launched from a multitude of compromised host computers, or zombies. A group of zombies forms a botnet, which in turn is administered by a host known as the command and control server. It’s a resource-intensive process, and that’s why the attack is spread (Distributed) amongst an army of botnets.

Know Your Enemy

 Some operating systems actually include the tools (like ping) necessary to mount a DDoS attack. Others (like HOIC or LOIC) may be freely downloaded from the Web. There’s a thriving black market in these weapons, including botnet-as-a-service and rent-a-botnet.

 

One class of attack seeks to overload your network bandwidth, denying access to your services by legitimate users, who are squeezed out of the traffic flow. Another approach uses numerous small data packets to target a host, overwhelming its CPU with multitudes of cycles.

 

An older school of assault looks to bring down a network by targeting a specific device, and overloading its memory capacity.

 

Such direct attacks may cause relatively moderate damage, as the attacking host computers consume their own resources, to stage them. The zombies typically use their own publicly available IP addresses, and can be readily identified.

 

Indirect attacks amplify the effect of malicious zombies by redirecting traffic from them to other hosts, which reflect or magnify the assault, and can mask the identity of the true attacker. Often, the intermediate hosts are standard Internet providers, whose services are abused by the attacker for this purpose.

Know Their Motives

 Broadly, a DDoS attack may be motivated by any of the following:

• A revenge attack, for perceived or real offences.
• As a vehicle for blackmail or extortion.
• For political purposes, as in the numerous cases allegedly instigated by governments or state-sponsored agencies.
• To gain a competitive edge over rivals.
• As a distraction for other crimes being committed at the same time.
• As a form of “popular” protest, or “hactivism”.

Know Your Weaknesses

 Establish early on which are the most vulnerable aspects of your operation. Is it your website? Or the company intranet? Your email server?

 

Firm up the configurations of your OS, network settings, and applications by disabling unneeded software and services. Make a hot list of crucial services that should be kept going during an attack.

 

Have a look at your endpoint and network security measures, and beef them up if necessary. Consider improved firewall protection, or devices to detect and prevent malicious intrusions. Specialist DDoS software solutions from reputable third-party manufacturers may be an option.

Stay in the Loop

 It’s not enough, to review your DDoS response strategy every 16 months (as a survey by BT of leading IT companies suggests is the norm). New threats are emerging daily, so read the blogs, join discussion forums, and study the trade literature to keep abreast of which industries are the current prime targets, who’s targeting them, and the methods they use.

Ask for More

 It may cause groans in the Finance department, but seriously consider paying upfront for additional network capacity, to give yourself a margin of error in case an attack puts unwarranted strain on your computing resources or bandwidth.

 

During a DDoS attack, your website or online resource may experience loads in excess of 10 to 20 times its peak capacity, so this cushion will help mitigate the potential effect.

Know What’s Normal – And What’s Not

 DDoS attacks may be complex – so it’s important to know what constitutes abnormal behaviour which might indicate an assault on your system.

Monitor your network, and collect information on aspects such as:

• The bandwidth going into and out of all your peer-to-peer connections, network circuits, etc.
• Memory usage, network and disk I/O, and CPU consumption on critical servers.
• The IP and port addresses of the most frequently used resources and Web destinations.
• The most popular URLs requested during normal operations – and those currently being asked for. 

Assemble these observations and metrics at a central logging point, where they can be viewed at a single glance. This will help in spotting trends, and in locating and identifying the source and methodology of a potential attack.

Let Your People Know

 Before an attack can occur, create and distribute an action and contact list, detailing who to call (DDoS protection service, etc.; see below) and which tools to employ, in the event of an assault.

 

Be sure to include your Technical Support and Customer Service people, so they’ll know how to respond to users should an incident occur. And your CEO will have to be informed, as well.

 

Create an email contact list of all parties who should be informed immediately, if your website goes down.

Ask for Help

 You may have done so already, but engage the services of a specialist provider who can assist before, during, and after a DDoS attack.

 

Start-ups such as CloudFlare will distribute your site’s load over multiple data centres, and assume responsibility for detecting and mitigating attacks for a moderate fee.

 

If you’re willing to spend upwards of $10,000 monthly, big names like Akamai Technologies, Limelight Networks, and Level 3 Communications provide such services for sites with heavy traffic loads.

Dump Your Trash

 DDoS attacks have been known to approach 150 Gbps, generating phenomenal event logs on servers and other network devices. These overloads can soon cause failure, so don’t be shy about dumping the logs once it’s been established that an attack is under way, and the logs have little valuable information to contribute.

DNS Protection

 Your Domain Name System (DNS) is often a prime target for DDoS attackers, as it’s crucial to the availability of your Web services in resolving IP addresses for your users. So make sure your DNS servers are top-grade, and well-secured against intrusion.

Plan for The Worst

 Stress testing during scheduled working hours will help establish the ability of your critical systems to react to abnormal loads, such as those that occur in a DDoS attack. You should also keep regularly updated records of your network infrastructure layout, inventory of network assets, and baseline values for network performance, so that existing bottlenecks can be spotted, and it will be easy to identify the target and manner of any perceived attack.

 

Contingency planning is a must, so develop and distribute a check-list of procedures to be followed in case of an attack. This should include the contact information set out above, as well as the actions which each person on the list should take, and what information should be made available to them, to facilitate.

 

If your network or website goes down for a day (the typical time-frame for DDoS recovery), that day could cost you millions – to say nothing of the damage to your reputation and good will from your customers.