DDoS attacks are vastly bigger now. Here is what you need to do to protect yourself and your network.
Distributed denial-of-service (DDoS) attacks are certainly nothing new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, thanks to some high-profile targets and, experts see, two important changes in the nature of the attacks.
The targets are basically the same — private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves.
Half the time DDoS attacks go unnoticed by end-users, but about a quarter of the time they completely shut down services, according to a Kaspersky Labs survey.
About one fourth of the attacks result in loss of data, possibly carried out by accompanying attacks. The incidence of DDoS attacks lags behind malware, phishing and network intrusions, the survey says.
What are the best ways to stop DDoS attacks? “Taking on DDoS attacks requires a new approach that not only detects increasingly complex and deceptive assaults but also mitigates the effects of the attack to ensure business continuity and resource availability,” says Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco.
Partick Grillo, Senior Director, Solutions Marketing at Fortinet, says the best way is a combination of methodology and technology. “By methodology we mean combining on-premise protection with cloud based services. This allows the organisation to take the best of both options to improve their protection against a DDoS attack. From a technology perspective, it’s absolutely essential that the chosen solution has full visibility of the incoming and outgoing traffic. Due to the sophisticated nature of today’s DDoS attacks, just sampling network traffic is no longer effective in detecting and responding to an attack.”
While organisations always want to find threats as quickly as possible, that ideal is far from being met, and the same holds true in the case of DDoS attacks. “When a DDoS attack hits your network, a long time can pass before the security/network staff fully realises it is actually a DDoS attack that is affecting the services, and not a failing server or application,” says Manson.
But is it possible to detect and mitigate DDoS attacks in real-time? And how can you tell the signs of an active attack?
“Identifying whether a crashed server is a result of genuine traffic or DDoS attacks can be tricky. A good indicator lies in the amount of time in which service has been down. If the pattern shows that service has been sluggish or denied for a number of days rather than a spike due to a flash sale per say, then it’s time to conduct a thorough investigation into the root cause,” says Hadi Jaafarawi, Managing Director, Qualys ME.
Detecting and mitigating a DDoS attack can be difficult but not impossible, says John Shier, Senior Security Advisor, Sophos. He adds that an important factor in detecting a DDoS attack is in knowing what your everyday traffic looks like. If you see a sudden spike in outbound connections from your network or hosts communicating on unexpected protocols, you may have a problem. Mitigation for this involves implementing filtering rules on your firewall to block the traffic in question. The host in question may also become slow if resources are being consumed for the purpose of the attack. Unfortunately this is rare since one of the defining characteristics of a DDoS attack is to spread the attack load across many compromised devices.
Candid Wueest, Security Analyst and Researcher at Symantec says a DDoS attack scenario should be part of every incident response plan. “A company’s CERT or IT staff needs to check their exposure before an actual attack happens. Know who to call. Businesses should create a plan with the required contact information for ISPs and Web hosting providers. Most ISPs are interested in keeping their network bandwidth unclogged and will help mitigate the attack where they can.”
The cost of recovering from an attack is significant, particularly for small and midsize businesses. In a special report on security risks, Kaspersky Labs noted, “On average, a DDoS attack costs SMBs more than $50K in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.”
For some reason, though, companies still aren’t convinced that investing in security against DDoS attacks is money well spent. The Kaspersky Labs survey found that only around half of respondents (56% of IT professionals) believe that spending money to prevent or mitigate an attack would be worth the investment.
There are many factors to consider in evaluating anti-DDoS solutions in the market. Manson from Cisco says defending against DoS attacks occurring at the network layer requires a network architecture that can absorb large blasts of traffic and that filters all traffic so that only web traffic is permitted onto the network.
According to Cisco, there are three questions you should ask when it comes to choosing a DDoS mitigation solution:
- Does the solution absorb all attack traffic?
Not all attacks target web applications or services. Attacks sometimes attempt to sneak in through FTP or non-web ports; look for a solution that can evaluate all of your traffic in order to protect the site more effectively.
- Does it offer positive protection?
Many DDoS attacks at the network level can be stopped by only allowing legitimate HTTP traffic onto the network. The solution should drop all other non-application traffic or UDP packets without application payloads.
- Is the solution always on?
Security controls only protect your website or application if they are up and running. You need to determine the availability level promised by the solution and how it’s delivered. Does the solution provider guarantee availability with a service level agreement?
Many enterprises in the region are yet to invest in DDoS prevention systems of any kind. Security experts warn the risks of not investing in DDoS prevention and protection are more than monetary, and could lead to lost business contracts and damaged reputation.