Distributed denial-of-service attacks (DDoS) are among the most concerning attack trends of 2014 for security engineers, IT personnel, business owners and government officials. According to IBM X-Force threat intelligence, these attacks were second in frequency only to SQL injection.
The upsurge of recent DDoS activity has been credited to politically-motivated attackers who routinely organize “operations” and target the infrastructures of governments or companies that they perceive as enemies. Common targets of these organizations include banks, schools, nonprofit organizations, small businesses, enterprises and newspapers. Banks, however, seem to be the primary target for these attackers: According to a recent survey by the Ponemon Institute, as many as 64 percent of banks surveyed had been hit by at least one DDoS attack in the last year.
DDoS Difficulties
The anatomy of a denial-of-service attack is very complicated. Depending on the tools and resources available to the attacker, the attack may be initiated using a single computer targeting a single resource, or it could be millions of computers sending millions of packets to one or multiple targets. In almost all cases, hackers will first compromise hundreds or thousands of computers, add them to botnets and use them as sources of the attack. Using botnets provides three advantages:
- It allows an attacker to exponentially increase the amount of traffic used in the attack, therefore increasing the likelihood of success.
- It makes the attack geographically disperse and therefore harder to mitigate.
- It allows the attackers to hide their identities so they are less likely to get caught.
To add to the complexity, authors of modern-day tools used for these attacks include constantly-changing evasion techniques to further reduce the likelihood of detection.
Regardless of the motivations, tools or methods used to deliver this malicious activity, system administrators, security engineers and IT personnel face the daunting challenge of defending their network resources from these attacks. To effectively prepare for these attacks, the security professionals must have a mitigation plan in place, provide around-the-clock monitoring and have a response plan in the event that they do get attacked. IBM Security and IBM X-Force recommend that customers use the following best practices to protect themselves against these attacks.
Best Practice 1: Secure Your Network
The first step is to secure all of the network resources in your infrastructure, not just resources that may be susceptible to denial of service. Protecting your network infrastructure will help stop attackers from compromising servers, laptops, desktops and other resources used to build botnets that can then participate in denial-of-service attacks from inside your network. IBM Security appliances can help prevent assets from being compromised, provide protection against application layer attacks and help prevent and low- to mid-volume network DDoS attacks.
Read the IBM research paper: Extortion by distributed denial of service attack
There are several steps you need to take to secure your network resources:
- Perform frequent scans on your Web services and ensure that you fix your vulnerable Web applications to reduce the risk of compromise.
- Perform frequent scans on your network assets and ensure that all vendor patches for operating systems and network applications have been applied to reduce the risk of compromise.
- Ensure that your network is protected by intrusion prevention and other threat management systems to help protect your network assets from being compromised, defend against low- to medium-volume DoS attacks and help mitigate exposure to Layer 7 DoS attacks.
- Ensure that you have an advanced security information and event management (SIEM) solution in place to take advantage of consolidated security event reporting, log collection and anomaly detection, which will help detect DDoS activity and detect and mitigate advanced persistent threats used to compromise network assets.
Best Practice 2: Plan, Recover, Detect and Mitigate
The second step is to ensure that you have choke points throughout the network to detect and mitigate denial-of-service attacks as well as capacity plans, expertise and processes in place to recover from a DDoS attack. Consider deploying a managed service that provides:
- Constant, 24/7 monitoring and mitigation of denial-of-service attacks;
- The right mix of processes, people and technology to defend your infrastructure from both volume-based and application-based DDoS attacks;
- Tools to help plan for and implement the resource capacity that can scale to your organization;
- A plan for normal volume surges as well as DDoS attacks by testing and setting a baseline for current network, Web and application resources (including both private virtual environments and public cloud service providers);
- Traffic-limiting and load-balancing within the existing environment to help customers keep their network running while under attack;
- Deployment of an edge device or a farm of devices with the capacity to handle anticipated surges and allow valid traffic and block bad traffic;
- Alert and notification procedures, assigned priority levels, call-out lists, response and escalation actions, communication activities and other considerations.
IPS Product Manager, IBM Security