Tips for Handling DDoS Attacks

A recent opinion article in TechGenix included a checklist for “Hardening your technology infrastructure in preparation for a DDoS attack.” Though it may be well-intentioned advice, it is not without some flaws. Below are some thoughts on that, from Corero’s perspective.

Tip #1, “List vulnerable, high priority resources,” is a sensible step. In this day and age, the targets of distributed denial of service (DDoS) attacks are often key resources, such as servers hosting business critical applications and services, so you can pretty much count on those being negatively impacted during an attack. Creating backup copies of documents and lists of key personnel to contact in the event of an emergency is quite fundamental to any crisis management plan, but especially so when under a DDoS attack.

Tip # 2, “Partner with an upstream provider,” includes a suggestion that Firewalls and Load Balancers can form part of your DDoS defenses but, in reality, that is not true. They may be able to protect themselves to a certain degree, from basic attacks, but any claimed DDoS defenses are likely to be basic, at best, and totally inadequate for ensuring business continuity. Modern firewalls are stateful, by design, making them unable to handle DDoS attacks, which are often created specifically to overwhelm that state tracking. Additionally, firewalls dictate which services may be used, but not how they are used. Attackers know this and often craft their attacks to specifically target those allowed services, or the servers which host them.

Tip # 3, “Create a network traffic baseline,” is not particularly useful against modern DDoS attacks, as many will not come close to saturating your incoming Internet links. A baseline may alert you to the possibility that you are under attack, but spikes in traffic can also be legitimate, and many modern DDoS attacks don’t create a significant enough rise in overall traffic levels to indicate an attack is in progress.  Even if you do suspect that you are under attack, it’s unlikely you’ll have the visibility, skills, or tools to be able to mitigate it, without impacting your business. Your firewall, for example, almost certainly won’t have the flexibility to block the attack, without taking its target offline. If you truly care about defending against DDoS attacks, and keeping your business online, you need dedicated DDoS protection in place that can detect DDoS traffic and surgically mitigate it, automatically. Furthermore, it needs to be a solution that is agile enough to keep up with the fast-changing vectors used in many modern attacks.

Tip # 4, “Harden against common DDoS attacks,” is easier said than done. Many of the common attacks are now at a level of sophistication that makes it impossible to block them without impacting legitimate traffic, unless you use a dedicated, automated DDoS protection solution with rapid detection mechanisms and surgical blocking filters that accurately discern legitimate traffic from bad traffic, allowing applications and services to continue operating unimpeded.

Tip # 5, “Reduce the DDoS attack surface area,” is a tactic that may help reduce your threat surface from hacking and data exfiltration, but many of the Tip #s that the author suggests, such as access control, are irrelevant to a DDoS attacker, who is just intent on stopping your applications and services from operating, not breaking into them to steal information.

Tip # 6, “Patching,” is similar to Tip #5.  Patching may help your devices from becoming part of a DDoS botnet, for example, but this won’t help you defend from a DDoS attack that targets your network, services and applications.

Tip # 7, “Network segmentation and access distribution,” can help offload and protect some targets, such as your website – if it’s using a CDN – but that’s because many CDNs already include DDoS protection.  This won’t defend against direct attacks on your own network or any resources that still need to operate on it.

Tip # 8, “Scrubbing services,” in the cloud, are not a magical solution. They are a particularly useful part of DDoS defense, for attacks that exceed your Internet bandwidth capacity, but they are relatively slow to react.  This means that, without complementary on-premises protection, you will be impacted by the attack for the entire time the cloud protection takes to engage, which can be from minutes to tens-of-minutes, during which time your applications and services being targeted suffer reduced performance and/or downtime. Furthermore, cloud scrubbing can be expensive; the monthly fee can seem affordable, but, as the number of attacks increases, the costs can be staggering. Also, with the vast majority of DDoS attacks now short in duration (over 80% less than 10 minutes) and small in volume (over 98% less than 10Gbps), on-demand cloud protection adds little value compared to deploying dedicated real-time, always-on, on-premises DDoS protection.

Tip # 9, “DDoS stress testing,” is typically done only by those who really care about the negative impacts a DDoS attack can have on their business. However, this is the only way to be confident that any protection which has been deployed is up to the job, before you become the victim of an attack.  And, be prepared for a failure to withstand the test attacks, unless you have the latest in real-time automatic DDoS protection deployed on-premises, and maybe also with the backup of a cloud scrubbing service if you’re testing for resilience against attacks that exceed your Internet capacity.

Tip # 10, “Incident response planning” makes total sense because DDoS attacks are becoming more frequent, increasingly sophisticated and, depending on the type of DDoS protection that you have in place, may well impact systems, applications and services. Any downtime or lack of service availability in today’s Internet-dependent economy is increasingly unacceptable, so it’s critical to be able to efficiently remediate the problem, as well as communicate effectively with your organization’s stakeholders.

Tip # 11, “Employee awareness” may be helpful against attacks such as phishing. However, employees who experience an issue are unlikely to know it’s as a result of a DDoS attack.  The only way to reliably stop attacks is having always-on protection that detects and mitigates them for you, with alerts and reports of the DDoS activity and the actions taken. This allows IT security staff to focus on other cybersecurity concerns, simply verifying and consuming the DDoS attack analytics reporting.

As DDoS attacks have become more frequent, stealthy and sophisticated, more organizations are plagued by such attacks. In response to that threat, it certainly makes sense for organizations to harden their defenses, but they must not be lulled into a false sense of security, if they rely merely on inadequate measures such as patching, scrubbing, and planning what to do when an attack happens.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.