Best practices to mitigate DDoS attacks

DDoS attacks are on the rise and growing more complex. A majority of respondents in a recent survey from Neustar indicate a service outage would cost their companies $10,000 or more per hour in lost revenues. Follow these tips to mitigate an attack against your organization.

The hactivist group Izz ad-Din al-Qassam Cyber Fighters is several weeks into Operation Ababil 2, and, as promised, is once again directing distributed denial-of-service (DDoS) attacks at U.S. banks. The group has vowed to continue disrupting online and mobile banking sites until all instances of the movie “Innocence of Muslims” are removed from YouTube.

Numerous banks have been attacked in recent weeks, including PNC Bank, Fifth Third, HSBC, JPMorgan Chase, Citibank and others. For the financial institutions, it’s déjà vu all over again, as they were similarly attacked last September and October. The banks have all suffered daylong slowdowns and, at times, complete outages. Security experts say these are the largest cyberattacks they’ve ever seen.

BACKGROUND: U.S. bank cyberattacks reflect ‘frightening’ new era

It’s disturbing that this second round of attacks has had even a modicum of success in disrupting banking services. After all, the banks were forewarned that the DDoS attacks would be coming, and thus they had ample time to put preventive measures in place. There are anti-DDoS technologies that can mitigate these types of attacks and lessen the effects on the victim businesses.

Every company with a website and any type of online service should take notice of these attacks; they aren’t exclusive to financial institutions. DDoS attacks can be initiated by anyone with a motivation and a few dollars. In fact, it’s incredibly easy for anyone to get DDoS as a service. There’s a series of advertisements running on YouTube for something called “Gwapo’s Professional DDoS Service.” These ads boldly describe how “Gwapo” will perform a denial of service against any target website for a fee. The cost depends on the strength and duration of the desired attack. Gwapo simply aims a botnet at the target website and fires excessive traffic to achieve the objective of an outage.

Why would someone attack a website? Some people, like Cyber Fighters, use DDoS to make a political statement. Others do it to extort money, holding the website hostage via an outage until a ransom is paid. Unscrupulous people use DDoS to disable a competitor. Some security experts believe that DDoS attacks are often a smokescreen to cover up other illicit activity. While administrators are focused on getting their website functioning again, the perpetrator is planting malware or stealing information. In fact, this proved to be the case in some of the earlier attacks on the U.S. banks.

How can you protect your company’s Web presence? Here are a few tips on what you can do now to head off a potential problem later.

* Don’t count on a firewall to prevent or stop a DDoS attack. The first step is to recognize that your firewall is insufficient protection against the types of DDoS attacks that are increasingly common today. Even a next-generation firewall that claims to have DDoS protection built-in cannot deal with all types of attacks. The best protection against DDoS attacks is a purpose-built device or service that scrutinizes inbound traffic before it can hit your firewall or other components of the IT infrastructure. This type of solution has one mission: to prevent excessive or malicious traffic from making your Web-based applications inaccessible to legitimate customers or users.

* Bake DDoS into your business continuity and disaster recovery plan. Your company probably has a business continuity/disaster recovery (BC/DR) plan that outlines what to do in the event of some sort of business interruption or outage. You need to include procedures for DDoS mitigation in this plan. This will help to minimize any delay in responding to an attack and help assure that your company executives will commit the necessary resources for prevention and mitigation.

* Know the signs of an active attack. Not all disruptions to service are the result of a denial-of-service attack. There may be technical problems with a particular network, or system administrators may be performing maintenance. However, the United States Computer Emergency Readiness Team (US-CERT) advises that the following symptoms could indicate a DDoS attack:

• Unusually slow network performance (opening files or accessing websites)
• Unavailability of a particular website
• Inability to access any website
• A dramatic increase in the number of spam emails received

* Know your customers and lock out unexpected transactions. Most companies have a limited geography for where they do business — even if that geography is the entire country. If your company isn’t expecting people from, say, Eastern Europe or China to be placing orders via your website, the presence of inbound traffic from those geolocations may indicate trouble. If your anti-DDoS solution has the feature, restrict transactions that originate in locations where you don’t typically do business.

* Measure the financial impact of being offline for a period of time. How much would it cost your company if no Web transactions could take place for four hours? Eight hours? A full day? The cost of an outage varies greatly by company. Calculate what the financial impact would be to your company so that you can justify to executives the expense of DDoS mitigation services.

* If you are the victim of a DDoS attack, look for fraud, data breaches or other criminal activity. Many security experts believe that DDoS attacks may be smokescreens to hide other cybercrimes, including data breaches or financial fraud. Payloads in the attack traffic could be dropping malware on your servers. If your company does experience a DDoS attack, do a very thorough inspection of all system logs to determine if other malicious activities took place during the attack period. If your website supports credit transactions, be especially mindful of your PCI/credit processing environment. Be sure to deploy defenses at the perimeter of your card holder data environment as required by PCI-DSS.

* Know who to call to stop an attack. If you don’t have an anti-DDoS solution in place, then at least know who to contact immediately if you suspect your company is under attack. It’s prudent to explore the dedicated anti-DDoS solutions on the market and decide which vendor/solution provider to call if the need arises. It’s like choosing your doctor before you get sick so you don’t waste valuable time figuring out what to do in emergencies.

DDoS attacks are on the rise. Every good security plan has to include mitigation in order to minimize the effects of a service outage.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.