Distributed Denial of Service (DDoS) attacks are becoming more pervasive as the ability to launch them becomes easier and more affordable. In the dark cybersphere, purchasing a turnkey botnet or renting hundreds or thousands of bots is becoming more and more affordable. These can be leased by the hour or by the day. Ecommerce sites are setup so that even a novice user can purchase the service to launch an attack.
Different attack vectors can be affected by DDoS attacks. The attacker may target the network as a whole, the web presence of an organization, or both. DDoS attacks can be launched by cyberactivists, a disgruntled employee or customer, competitive organizations or even governments. Many times the actual perpetrator may never be known since these attacks are bounced off unrelated network servers. Take for instance the hack at Sony: there is still controversy surrounding the source of the attack since it is difficult, if not impossible, to prove who is responsible for the attack.
New vulnerabilities that can be exploited by DDoS are continuing to come to be discovered. Just recently it came to light that the routing protocol RIPv1 can be exploited to perform a DDoS reflection and amplification attacks. Additionally, DDoS attacks can be accompanied by ransom demands, as was the case of DDoS attacks that were launched against four New Jersey casinos on July 2nd of this year.
Although DDoS attacks are easier than ever to deploy and according to almost every published survey on this phenomenon are on the increase, organizations are slow to spend money on upfront protection. Over the last few years, the focus in the security industry has turned towards mitigating advanced persistent threats (APTs) and very little attention has been paid to the risk of DDoS. One reason for this is that unlike malware or APTs in a network which can be proven to exist, an organization has no way to know if they may or may not have a DDoS event. Organizations tend to have a “show me the risk” attitude towards their security posture. Once the decision makers see that the actual threat exists, then they are willing to allocate funds to address the risk. With DDoS, a company may take a ‘wait and see’ posture prior to an attack happening, in which case it may take much longer to solve the issue with no clear mitigation strategy in place.
Obviously, an attack on web or network resources can interfere with a company’s business and have unexpected costs associated with it. Usually these attacks can be impossible to deal with if the appropriate controls are not in place upfront. According to the Q2 2015 DDoS Trends Report: Exposing the Shady Economy behind DDoS Attacks by Imperva, the average DDoS subscription fee for a one hour/month package is roughly $38. And, according to this same report, the cost of an unmitigated attack to the organization averages $40,000 per hour.
When an attack hits an organization, these unexpected costs are usually related to loss of business. When there is a quantifiable cost of having web systems not accessible, then it makes sense to review the security solutions that are able to deal with an attack ahead of time. At a minimum, security professionals should understand their options and what can be done while under attack to reduce their network down time.
The first step in developing a DDoS mitigation strategy is understanding that there are multiple attack vectors and methodologies for sustaining an attack – including network, web, and DNS types of attacks.
If web resources are the lifeblood of an organization, then it may be prudent to address this issue first. Web DDoS attacks can take the form of a pure network-based DOS attack, or can exploit the application layer. Any solution that is used to address web DDoS attacks should include the ability to discern between the two types of attacks and address both.
For organizations with a large remote user force, a network attack can mean network resources are slow to access or are not available to the workforce. This can have a measurable effect on business operations with a direct cost impact.
So, what is an organization to do to mitigate DDoS from affecting their operations? First, it is imperative that responsible organizations are not used as part of the DDoS botnet. This involves the basic security practices of patching all machines on the network, as well as having visibility of traffic on the network to ensure systems are not hijacked and used for launching attacks. Additionally, there should be a plan of action in the event that a DDoS attack occurs, which includes understanding the various types of DDoS attacks and best practices for countering the attack.
High profile organizations should absolutely considering having a DDoS mitigation service available. Additionally, they should have a handle on their normal network traffic patterns, so that they are immediately alerted to anomalous behavior. If the web farms are located internally, then edge devices should be configured to drop suspicious packets. Rate limiting may also be prudent. If web sites are remotely hosted, then be aware that ISPs will typically block traffic to your web site if a DDoS attack is suspected. Understanding how your hosting company detects and handles DDoS attacks is an important part of your mitigation strategy. Additionally, you should know whom to contact at the ISP/hosting provider if a DDoS event occurs.
As with most issues, a little planning goes a long way. Understanding the risks and what to do in case of attack should be addressed as part of your security planning. When there is a measurable and large cost associated with down time, then mitigation services and technology should be reviewed and implemented.
By Susan Joy Crabtree, President, Mission Critical Systems