Defending Your Network Against DDoS Attacks

There is nothing more frustrating to a customer or client who is unable to access the website of a company, bank or retailer. Multiple emails and attempts to “check out” often lead to the viewpoint of “forget them; I will just go to another e-retailer to see if they have it in stock.” Equally frustrating, and potentially dangerous to business, revenues and corporate reputation, is when such denial or inability to access the corporate website is not just due to heavy traffic (like during Black Friday), but when this “denial of service” is caused by malicious actors or hacktivists. These attacks – called “Distributed Denial of Service attacks” or “DDoS” attacks – can often be intense, involving hundreds of thousands of computers all over the world and huge amounts of traffic. They can last for hours or days depending upon the intent of the attacker, rendering a website, server or entire network useless for the duration of the attack. For financial institutions they can be extremely problematic as it may prevent customers from completing transactions, or even impact bank-to-bank transactions. Indeed, the “2015 Verizon Data Breach Investigations Report (DBIR) shows that DDoS attacks are the most common form of attack against financial services businesses, accounting for 32% of all attacks analyzed in the report.” These sorts of attacks have grown exponentially in 2015, and continue today to be a threat today. We describe DDoS attacks below and discuss hardware and cloud solutions that could potentially help address and mitigate the effects of DDoS attacks before they can do real harm to a company or frustrate its customers.

What is a DDoS Attack?

In general, a DDoS attack is a type of cyber attack that uses large numbers of computers and huge volumes of traffic to overwhelm a server or network, slowing it or rendering it completely unresponsive. DDoS attacks generally require that the attacker control thousands, tens of thousands or hundreds of thousands of computers – usually owned by normal, unsuspecting consumers all over the world – and create their own network out of these “zombie computers.” That large network of computers is then used to focus traffic, such as a simple request to view a web page or something more malicious, on a single target or group of targets. The targeted servers or networks, not designed to handle simultaneous requests from such large numbers of systems, often get bogged down or stop responding completely. The amount of traffic generated by these attacks is immense. Though there are multiple variants of DDoS attacks, the four “main” variants are as follows: Flooding or Volumetric Attack A flooding attack sends a large amount of traffic to a victim network to congest the network with traffic. With enough traffic (which today, is much easier through the use of botnets and other DDoS attack tools), the traffic crashes the victim network so legitimate users cannot access their accounts or make purchases online. Amplification Attack A different DDoS attack which “manipulates publicly-accessible domain name systems, making them flood a target with large quantities of UDP (user datagram protocol) packets. Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.” Often the attacking packets are spoofed (or faked) in order to hide the origin of the attack, or to defeat potential firewall defenses. Resource Depletion Attack Similar to an amplification attack, a resource depletion attack floods the victim server with bogus information packets to seize up the server, so it cannot respond to legitimate requests for information. Diversion or Ransom Attack Lastly, in this attack vector, the attacker commences a DDoS act against victim server to distract the security team and incident responders while the attacker uses different methods to penetrate the network. One popular variant of this attack is to flood the victim’s servers constantly until they pay a ransom (normally in untraceable bitcoin). A second variant of this attack is to divert the incident response team with a large-scale DDoS attack while implanting malware or Trojans on the network designed to steal data, information or PII, or exploit a known vulnerability.

Defending Against DDoS Attacks

Defending against a concentrated and sustained DDoS attack can be akin to defending against a 4 on 1 “fast break” in a full court game of basketball – there are too many attackers and not enough of you. Your defenses are completely overwhelmed, and the attackers are headed to the basket for an easy score. Though it’s not always possible to defend against a large, organized DDoS attack without some impact to the targeted network, there are strategies that can help mitigate the effects of even the most vicious DDoS attacks:

1. Recognize the signs of a DDoS attack: the first and best defense against a DDoS attack is the ability to recognize it early. Unfortunately, not all DDoS attacks are easy to distinguish from normal spikes in network or web traffic, or a sudden slowdown in network performance. Invest in the right technology, expertise and training to help you tell the difference, or use an anti-DDoS service as discussed below.
2. Incident response planning: Be ready with a great incident response program and include in it a DDoS mitigation plan.
3. Contact your ISP provider: If your company is feeling the effects of a DDoS attack, it is likely affecting your ISP provider, as well. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack rather than have you call for support. When choosing an ISP, inquire whether any DDoS protective services are available, and consider whether you might want to engage a backup ISP in the event of an attack to keep your business running.
4. Have your threat intel handy: Half the battle in today’s environment is knowing what to look for. What are the potential indicators of compromise that an attack is underway? What threat vectors are most popular? And how are your peers responding to those attacks? Join your local ISAC, use the threat intel service provider or network with your peers to understand the source of threats and attacks.
5. Other Mitigation Defenses and Tools: There are two tools that companies should consider in addition to standard signature-based firewalls and routers (to reject known bad traffic) when thinking about mitigation strategies: (1) Load balancers to balance traffic across multiple servers within a defined network with the goal of creating additional network availability, and (2) a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.

Today, with the large-scale commoditization and distribution of sophisticated cyber-attack tools, more and more people have access to sophisticated malware that facilitates DDoS attacks. Given this massive increase, today’s organizations need to be prepared to defend against DDoS attacks or risk outages and other damage. Consider our advice to help prevent attackers from shutting down your network with a flood of unwanted traffic. Have an incident response plan in place and talk about DDoS countermeasures in advance with your ISP and a security vendor that specializes in mitigating these types of attacks. Finally, as with any challenge, practice, practice, practice your incident response plan. Your corporate reputation, customers and investors are worth the effort.  

Image

About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}