Mitigating against DDoS attacks

By March 5, 2019 No Comments

DDoS may be an old school attack vector but, it still accounts for 40% of cyber incidents according to Verizon… don’t get caught out!

DDoS (distributed denial of service) attacks have been around for a very long time. Over the years they have hit the headlines in spectacular fashion, with high profile companies from PlayStation to Github having their services severely interrupted by attacks.

DDoS works by overwhelming targeted servers with request, data packages or messages. Essentially attempting to open as many simultaneous connections as possible with the server in order to seriously degrade its performance, and denying service to legitimate users such as employees or customers. This is often achieved by using armies of internet bots – often computers or IoT devices that have been compromised.

This type of attack is often used by hactivists as a way to target companies or organisations they have a grievance against. Indeed, hacker network Anonymous has been well known for this is the past. But pretty much anyone can get in on the game these days as there are a wide range of open source DDoS tools on the market and readily available such as LOIC (Low Orbit Ion Cannon). This software essentially connects users, via an easy-to-use interface, to a vast network of computer resources. Importantly, these are not zombie devices that have been infected by malware, but actually people volunteering to donate their resources into an attack.

A DDoS attack often starts with attackers exploiting a vulnerability in a single computer system or device. The attacker’s system then becomes the DDoS master and searches for other systems with the same vulnerability to turn them into bots. Attacks are measured by how many bits (binary digits) of data they send at the target per second—for example, a small attack might measure only a few megabits per second (Mbps), while larger attacks might measure several hundred gigabits per second (Gbps), or even more than one terabit per second (Tbps).

In February 2017 developer platform Github had its services taken off line by what is believed to be the biggest DDoS attack ever, with the first portion of the attack against the developer platform peaking at a massive 1.35Tbps.

While DDoS attacks are damaging in terms of disrupting services they often have a more sinister undercurrent as they are frequently used to act as a distract from other criminal activity, such as data theft or network infiltration. The attacker would keep the target busy fighting off the DDoS attack, and meanwhile sneak a piece of malware in round the back.

While DDoS is old school, it’s not going away. According to Verizon’s 2108 DBIR, DDoS attacks have been the leading cause of security incidents for the past several years. About 40% of incidents Verizon and its partners analysed were attributed to a DDoS attack.

So what can be done to defend against these kinds of attacks?

Protect your pubic-facing servers

Some of the routes used to create a successful DDoS attack can be relatively straight forward to mitigate against, for example public-facing servers need to be behind a solid and reliable firewall. Also, a content delivery network (a network of servers that delivers pages and other web content to a user, based on the geographic locations) can help keep your services going in an attack as it’s easy to target one server but less easy to target multiple servers.

Keep an eye on network activity, and have bandwidth slack

You need to be able to properly manage network monitoring resources as this can help you spot attack as it starts to approach a specified threshold. If you then have an always-on scalable provision, you can raise your bandwidth accordingly. It may be more expensive on the resource front, but it will be better for the company than having your services offline. While all organisations are potentially in the firing line for DDoS attacks the ecommerce sector is often most vulnerable, so if you’re in this sector you should pay special attention.

Keep business systems separate

Have your different business systems on different servers. That way if you website comes under attack, critical application like email and VoIP won’t be affected at the same time.

Watch out for internal threats

Finally, any system you deploy should also protect you from internal threats. If your devices are compromised and used as part of a botnet it can not only degrade network performance but it can get your IP addresses blacklisted which can have wide reaching ramifications.