Online Security is much on the mind of an IT Head nowadays. Malware attacks are increasing in frequency and ferocity. According to the FBI, Ransomware is one of the fastest-growing global industries, and DDoS attacks are often a precursor to a targeted theft of information.
There are Online Security software and appliances that can protect against malware in all its forms, but again, as the FBI says, “The only secure system is one that hasn’t been hacked yet.”
A basic DoS attack is when a website receives a large amount of traffic designed to prevent legitimate traffic from reaching it. No service at that address. If the site is an e-commerce site, that can be catastrophic to the operator.
A variant is the Distributed DoS (“DDoS”) attack. In this instance, the attacker preps multiple sources to send the malicious traffic, often through small bots distributed using phishing exploits. Because it comes from numerous sources, it is much more difficult to detect and block a DDoS attack.
One reason for the increase in DDoS attacks is that many networks add insecure devices to the edge as part of an Internet of Things (“IoT”) rollout. Many IoT devices are inherently insecure and don’t have coverage from mainline anti-malware applications. As a result, they are easily detected and infected. They can also be recruited into botnets.
Some 15,000 memcach amplification attacks were launched in 2018, with GitHub being hit by an onslaught of 1.3 Tbps.
Clearly, the best approach is to stop a DDoS attack as it ramps up before it harms your system. When malicious actors can launch a simultaneous attack of over 1 Tbps, that is not possible.
The first thing to understand is that, in all probability, you can’t stop a DDoS attack with your own resources. The drawback to a DIY approach is first, budget, and second, you are usually reactive.
Installing a full protective screen costs money in hardware, software, and external services. And sometimes in internal resources. With no apparent payback, a budget request is usually denied.
Even though an organization might employ measures as soon as they detect an attack, that first burst of DDoS activity is usually enough to bring the systems down for several hours. How long depends on how soon the attack is detected. Sometimes that is only when users complain about slow or no response.
Here are several steps you can take:
-
Early Detection
The earlier you detect as DDoS attack, the better your chances of successfully surviving it. That is not as easy as it sounds. You need to know your typical traffic pattern, and if a sudden spike in traffic is because of a marketing campaign you launched that morning or a DDoS attack starting up.
-
Perimeter Defences
If you run your own web server or Cloud services, you can do a few things to mitigate the effects of a DDoS attack:
- Provision extra bandwidth. That won’t stop the attack but it may give you extra time to put your other measures in place.
- Reconfigure your core router to apply Rate Limits to protect the Web Server.
- Block traffic from well-known attack sites, or at least drop their packets.
- Drop spoofed and malformed packets.
These actions in themselves will not stop an attack, because DDoS attacks are now usually too large to be handled in this way. All they are likely to do is to give you some time.
-
External Assistance
You need to call your ISP for help. If, as is becoming more common, your web server is in a hosted data center, they might have already noticed, or perhaps they are under attack. They could take several actions:
- Drop you altogether to protect the rest of their network. You will have no service while they sort things out.
- Divert traffic destined for your site to a “scrubber.” The scrubber drops obvious DDoS packets before sending probably legitimate ones to your web server.
Another approach, especially for massive DDoS attacks, is to call in an attack specialist. Your ISP may also do this.
DDoS Mitigation Specialists have a large-scale infrastructure and many specialist tools, including scrubbing, to keep you up and running. They are highly experienced in DDoS and can handle high volumes of traffic. You or your ISP diverts all your traffic to them using BGP. When it is cleaned, they forward it to your website.
Your users may complain about increased latency, but that is undoubtedly better than no service at all.
The old saying that prevention is better than cure is useful here. You will probably have a Business Continuity Plan in place, and if not, get one.
Your plan must include a “What to do” in the case of a DDoS attack with clearly defined actions and responsibilities. With DDoS, time is of the essence, so the plan needs to be rapid, complete, and understood by everyone. Rehearse it.