DDoS protection, mitigation and defense: 8 essential tips

Protecting your network from DDoS attacks starts with planning your response. Here, security experts offer their best advice for fighting back.

clicks pageviews traffic denial of service ddos attack 100613842 orig
Thinkstock

DDoS attacks are bigger and more ferocious than ever and can strike anyone at any time. According to Verizon's latest DDoS trends report, the first half of 2018 saw an increase of 111 percent in attack peak sizes, compared to last year.  "The attackers are getting their hands on more and more machines that they can misuse for DDoS attacks," says Candid Wueest, threat researcher with Symantec Security Response at Symantec.

Even with recent high-profile takedowns of international botnet operators, there might be a slight decrease of activity for a couple of months before other botnets take over. "At Symantec, we collaborate with law enforcement and help them take down botnets," he says. "Unfortunately, it's not really feasible to get rid of all of them, with the new Internet of Things -- routers, CCTV cameras, all those devices. Most people don't even know if their IoT devices are being used for attacks."

In February, a 1.35-terabit-per-second attack hit GitHub, the largest ever recorded. Within ten minutes its DDoS mitigation vendor, Akamai Prolexic, was on the job. Eight minutes later, attackers gave up. The record was broken the next month, with a 1.7-Tbps attack reported by Netscout Arbor against a U.S. company, but there were no outages reported because of the mitigation defenses that were in place. These kinds of attacks are too big for any company to deal with on its own, Wueest says.

Attacks are getting more sophisticated, according to Verizon, with 52 percent of attacks now employing multiple attack vectors. "They might start with one attack method, and then when you mitigate against it, switch to another one," says Wueest. "They can do that several times, because there are so many different attack methods they can use."

As soon as someone comes up with a new attack method, criminals immediately look for ways to monetize it, or include it in their botnet kits. "The DDoS market works similar to the other criminal markets we see," says Chet Wisniewski, principal research scientist at Sophos Ltd. "No bad idea gets unrewarded."

With that in mind we’ve assembled some essential advice for protecting against DDoS attacks.

DDoS attacks are bigger and more ferocious than ever and can strike anyone at any time. According to Verizon's latest DDoS trends report, the first half of 2018 saw an increase of 111 percent in attack peak sizes, compared to last year.  "The attackers are getting their hands on more and more machines that they can misuse for DDoS attacks," says Candid Wueest, threat researcher with Symantec Security Response at Symantec.

Even with recent high-profile takedowns of international botnet operators, there might be a slight decrease of activity for a couple of months before other botnets take over. "At Symantec, we collaborate with law enforcement and help them take down botnets," he says. "Unfortunately, it's not really feasible to get rid of all of them, with the new Internet of Things -- routers, CCTV cameras, all those devices. Most people don't even know if their IoT devices are being used for attacks."

In February, a 1.35-terabit-per-second attack hit GitHub, the largest ever recorded. Within ten minutes its DDoS mitigation vendor, Akamai Prolexic, was on the job. Eight minutes later, attackers gave up. The record was broken the next month, with a 1.7-Tbps attack reported by Netscout Arbor against a U.S. company, but there were no outages reported because of the mitigation defenses that were in place. These kinds of attacks are too big for any company to deal with on its own, Wueest says.

Attacks are getting more sophisticated, according to Verizon, with 52 percent of attacks now employing multiple attack vectors. "They might start with one attack method, and then when you mitigate against it, switch to another one," says Wueest. "They can do that several times, because there are so many different attack methods they can use."

As soon as someone comes up with a new attack method, criminals immediately look for ways to monetize it, or include it in their botnet kits. "The DDoS market works similar to the other criminal markets we see," says Chet Wisniewski, principal research scientist at Sophos Ltd. "No bad idea gets unrewarded."

With that in mind we’ve assembled some essential advice for protecting against DDoS attacks.

1. Have your DDoS mitigation plan ready

Organizations must try to anticipate the applications and network services adversaries will target and draft an emergency response plan to mitigate those attacks. "Enterprises are paying more attention to these attacks and planning how they'll respond. And they're getting better at assembling their own internal attack information as well as the information their vendors are providing them to help fight these attacks," says Chip Tsantes, principal of information security advisory services at Ernst and Young.

Lynn Price, IBM security strategist for the financial sector, agrees. "Organizations are getting better at response. They're integrating their internal applications and networking teams, and they know when the attack response needs to be escalated so that they aren't caught off guard. So as attackers are becoming much more sophisticated, so are the financial institutions," she says.

“A disaster recovery plan and tested procedures should also be in place in the event a business-impacting DDoS attack does occur, including good public messaging. Diversity of infrastructure both in type and geography can also help mitigate against DDoS as well as appropriate hybridization with public and private cloud," says Chris Day, chief cybersecurity officer at data center services provider Cyxtera.

“Any large enterprise should start with network level protection with multiple WAN entry points and agreements with the large traffic scrubbing providers (such as Akamai or F5) to mitigate and re-route attacks before they get to your edge. No physical DDoS devices can keep up with WAN speed attacks, so they must be first scrubbed in the cloud.  Make sure that your operations staff has procedures in place to easily re-route traffic for scrubbing and also fail over network devices that get saturated,” says Scott Carlson, technical fellow at BeyondTrust.

2. Make real-time adjustments

While it’s always been true that enterprises need to be able to adjust in real-time to DDoS attacks, it became increasingly so when a wave of attacks struck many in the financial services and banking industry in 2012 and 2013, including the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo. These attacks were both relentless and sophisticated. "Not only were these attacks multi-vector, but the tactics changed in real time," says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods.

"They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics," he says. "Enterprises have to be ready to be as quick and flexible as their adversaries."

3. Enlist DDoS protection and mitigation services

John Nye, VP of cybersecurity strategy at CynergisTek explains that there are many things enterprises can do on their own to be ready to adjust for when these attacks hit, but enlisting a third-party DDoS protection service may be the most affordable route. “Monitoring can be done within the enterprise, typically in the SOC or NOC, to watch for excessive traffic and if it is sufficiently distinguishable from legitimate traffic, then it can be blocked at the web application firewalls (WAF) or with other technical solutions. While it is possible to build a more robust infrastructure that can deal with larger traffic loads, this solution is substantially costlier than using a third-party service,” Nye says.

Cyxtera's Day agrees with Nye that enterprises should consider getting specialty help. “Enterprises should work with a DDoS mitigation company and/or their network service provider to have a mitigation capability in place or at least ready to rapidly deploy in the event of an attack.”

“The number one most useful thing that an enterprise can do — if their web presence is that critical to their business — is to enlist a third-party DDoS protection service," adds Nye. "I will not recommend any particular vendor in this case, as the best choice is circumstantial and if an enterprise is considering using such a service they should thoroughly investigate the options."

The level of protection that the vendors are providing has increased dramatically this year -- as exemplified in the protections available for this year's record-setting attacks. Mitigation vendors are also increasingly working together with each other, with ISPs, and with law enforcement, to address the problems further upstream, long before they reach the intended victims, or clog up internet pipes along the way.

One DDoS mitigation provider, Cloudflare, has expanded its points of presence -- devices they install upstream, at ISPs and other key locations -- from 118 at this time last year, to 156 today. And the number of websites the company protects has increased from 7 million to 12 million over the same time period, according to Doug Kramer, the company's general counsel.

Cloudflare has been in the news lately for its refusal to remove protections on some neo-Nazi websites, but it has no such qualms about kicking DDoS attackers off its networks. "We work collaboratively with a lot of other groups, like the folks at AWS, Akamai, Google and Palo Alto Networks," says Kramer. "Even though we might be competitors in the commercial space,  we work together to track this stuff and shut it down."

With sites promoting dangerous content, however, it's a question of censorship, he says. "Our approach is to avoid being a censor, so we will follow the court process. If we get a court finding, we will discontinue services or whatever the court requires. But if we identify activity that is of a cyber attack nature, we take a different approach. If someone on our network is launching DDoS attacks, we will move as quickly as possible to disable services."

4. Don't rely only on perimeter defenses

Having the remediation systems as far upstream as possible is a major factor in successful responses to DDoS attacks. Everyone we interviewed when reporting on the DDoS attacks that struck financial services firms a few years ago found that their traditional on-premises security devices — firewalls, intrusion-prevention systems, load balancers —were unable to block the attacks.

"We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They're vulnerable. They're just as vulnerable as the servers you are trying to protect," says Sockrider, when speaking of the attacks on banks and financial services a few years ago. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter.

It's especially important to mitigate attacks further upstream when you're facing high-volume attacks. "If your internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You've already been slaughtered upstream," says Sockrider.

That's really been underscored by both of this year's record-setting attacks. There, attackers sent spoofed requests to vulnerable memcached servers, which are used to speed up websites and networks, says Bob Rudis, chief data scientist at Rapid7. "Memcached is to denial of service attacks as the hydrogen bomb was to traditional warfare," he says.

These attacks aren't letting up, he says. According to the latest Rapid7 threat report, memcashed daily connections spiked to around 10,000 in March, then to more than 50,000 in June, and to more than 200,000 in September. "Memcached attackers are alive and well and continue to take inventory for new systems -- of which there are still plenty on the internet," he says.

5. Fight application-layer attacks in-line

Attacks on specific applications are generally stealthy, much lower volume and more targeted. "They're designed to fly under the radar so you need the protection on-premises or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks," says Sockrider.

“Organizations will need a web protection tool that can handle application layer DoS attacks,” adds Tyler Shields, VP of strategy, marketing and partnerships at Signal Sciences. “Specifically, those that allow you to configure it to meet your business logic. Network based mitigations are no longer going to suffice,” he says.

Amir Jerbi, co-founder and CTO is Aqua Security, a container security company, explains how one of the steps you can take to protect against DDoS attacks is to add redundancy to an application by deploying it on multiple public cloud providers. “This will ensure that if your application or infrastructure provider is being attacked then you can easily scale out to the next cloud deployment,” he says.

6. Collaborate

The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries. "They're working among each other and with their telecommunication providers. And they're working directly with their service providers. They have to. They can't just work and succeed in isolation," says IBM’s Price.

For example, when the financial services industry was targeted, they turned to the Financial Services Information Sharing and Analysis Center for support and to share information about threats. "In some of these information-sharing meetings, the [big] banks are very open when it comes to talking about the types of attacks underway and the solutions they put into place that proved effective. In that way, the large banks have at least been talking with each other," says Rich Bolstridge, chief strategist of financial services at Akamai Technologies. The financial sector's strategy is one that could and should be adopted elsewhere, regardless of industry.

7. Watch out for secondary attacks

As costly as DDoS attacks can be, they may sometimes be little more than a distraction to provide cover for an even more nefarious attack. "DDoS can be a diversion tactic for more serious attacks coming in from another direction. Banks need to be aware that they have to not only be monitoring for and defending the DDoS attack, but they also have to have an eye on the notion that the DDoS may only be one aspect of a multifaceted attack, perhaps to steal account or other sensitive information," Price says.

8. Stay vigilant

Although many times DDoS attacks appear to only target high profile industries and companies, research shows that’s just not accurate. With today’s interconnected digital supply-chains (every enterprise is dependent on dozens if not hundreds of suppliers online), increased online activism expressed through attacks, state sponsored attacks on industries in other nations, and the ease of which DDoS attacks can be initiated, every organization must consider themselves a target.

So be ready and use the advice in this article as a launching point to build your organization's own anti-DDoS strategy.

This story, "DDoS protection, mitigation and defense: 8 essential tips" was originally published by CSO.