DDoS Attacks (Part II) - The New Line of Defense. (IMG: J. Anderson)
As discussed in the previous article of this series, knowing that hacktivists are indeed targeting high-profile networks is important, but let’s look at what organizations are doing to defend themselves.
First and most obvious of all, let’s talk about what the most common response is, and what is even seen as common sense: the knee-jerk reaction is to throw hardware and software resources at the problem. Just because it’s the most common response doesn’t mean that it’s effective.
Knowing that there’s going to be a steep spike in incoming mail and other requests, many organizations are following the “more” strategy: more Web servers, more e-mail servers, generally more capacity to handle more requests. Hand-in-hand with that strategy, they’re increasing the quantity of firewalls in-house.
It’s not that these measures are wrong, per se, and some may indeed help stem the tide. But, as some recent attacks have shown, the volume of incoming requests can far exceed any in-house capacity in a hurry. That’s why some organizations go further in building barricades to shore up their defenses and this is when the real problems start to emerge.
First, many organizations are deploying more peripheral devices into the mix. However, these devices don’t have the facility to undertake deep-packet inspection, and that’s a crucial element in mitigating DDoS attacks.
Others have opted for Intrusion Detection Systems, which monitor network or system activities for actions that suggest malice or even policy violations. There are many forms of IDS, and they do play a role in defending against some potential attacks. However, it’s important to keep in mind that in certain scenarios, they may even serve to increase the danger of the attack.
Then there are the different incarnations of CDNs, for content delivery or content distribution networks. These are essentially server farms deployed offsite, and they’re particularly useful for offloading the traffic served from the content provider's point of origin.
They’re used extensively in media or e-commerce infrastructures, and can offer the benefit of significant savings while enhancing core performance. Such services don’t come cheap, however, and more problematically, some dynamic attacks can be designed to travel straight to the origin servers.
Finally, there are now some specialized DDoS mitigation hardware packages that have come into the market. Yet, these too are only as effective as the capacity of an organization’s Internet connection. More bandwidth helps, of course, but that can get very expensive very fast, especially given the data volumes involved in a concerted DDoS attack.
In sum, it’s like an arms race, but winning is financially indefensible. It’s much cheaper to generate bogus traffic than it is to defend against it with evermore infrastructure and bandwidth.
So what’s the answer? Are there any viable (economically and otherwise) defenses available?
The short answer is yes, and here are the initial steps you should take:
First, open a communications channel with the Internet service provider immediately. It’s vital to get a sense of the volume of incoming traffic, since that will guide the response. Most importantly, given their best estimate, can the existing Internet connection handle it?
Next, try to get a geographic fix on the problem. If most of the spike is coming from a specified country or region, it may be possible to block all traffic from that point of origin. Of course, this will also halt legitimate traffic from that source, but in some cases that may be a small price to pay.
Also try to ascertain which pieces of the infrastructure can be reached while the attack is in effect. Can you get to your peripheral device? Log in yourself from an external source to see which connections are still open, and where the traffic might be coming from. In fact, it’s sometimes possible to add some blocks internally, but this is a very temporary fix.
If possible, it’s also wise to check Web server access logs to see if the attacks are hitting a particular URL. If they are, then it might be necessary to disable that target temporarily—it hurts in the short term, but minimizes overall damage to the brand.
Next, monitor all relevant social media channels immediately — it’s generally how hacktivists coordinate attacks. See if it’s possible to find relevant posts on Google, Facebook, Twitter, IRC (Internet Relay Chat) rooms, etc. Remember, hacktivists want to draw attention to their activities, and they’re comfortable using public forums for this purpose. Some entities have used these tactics to stay one step ahead of the attackers.
Ultimately, once this inevitable has happened, you should conduct a post-mortem: identify which piece of the infrastructure failed, and why.
Keep in mind though, by following all these steps, it still might not be possible to completely prevent DDoS attacks by yourself. But by developing, implementing and regularly stress-testing comprehensive response strategies, organizations can certainly mitigate, even minimize, the damage.
Next week, we talk about what steps you should take when relying on external parties to help mitigate DDoS attacks.
Miguel Ramos is the Senior Product Manager of Neustar, Inc., a provider of real-time information and analysis to the Internet, telecommunications, entertainment, advertising and marketing industries throughout the world.