What Is the Best Way to Respond to a DDoS Attack?

As data breaches continue to occur, cyber attackers have demonstrated enhanced technical sophistication in the area of distributed-denial-of-service (DDoS) attacks. DDoS methods per se are not advanced, but the method for increasing the amounts of capable bandwidth is a new and powerful way to halt business by interrupting online service. Attackers in June 2013 began to focus their attention on domain name system (DNS) providers.

This year DDoS attacks are a hot topic of conversation at the 23rd annual RSA Conference in San Francisco. Attacks on the DNS providers are another example of compromising central strategic targets. There are several ways these attacks can be disruptive and a complete distraction for security leaders.

Knowing Your DDoS Attacker: Q&A with Security Expert Bill Brenner

Below I explore DDoS attacks with security expert Bill Brenner from Akamai Technologies. As a senior program manager at Akamai Technologies, Bill Brenner writes about threats to Internet security as seen from within Akamai’s InfoSec department. He produces content that explains how Akamai keeps its own house secure while defending customers against attacks. On the side, he writes a personal blog called The OCD Diaries, chronicling his experiences with OCD and other challenges.

1. Best practice for responding to a DDoS attack

Cybercrime is a billion-dollar business and according to a 2013 report from the Ponemon Institute, the cost of cybercrime in 2013 increased by 78% among companies. DDoS accounted for more than 55% of the overall annual cybercrime costs per organizations. Given the magnitude of the growing number DDoS attacks, what is the best practice for responding to a DDoS attack?

Brenner: DDoS defense is something Akamai provides for its customers, but there’s also a lot of great guidance to be found online. One of my favorite examples is this article by Tracy Kitten of Bank InfoSecurity. In the article, she outlines four steps that cut to the heart of the matter:

  1. Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike
  2. Assess ongoing DDoS risks, such as through tests that mimic real-world attacks
  3. Implement online outage mitigation and response strategies before attacks hit
  4. Train staff to recognize the signs of a DDoS attack.

Those four tips should be part of any DDoS response plan.

2. Determining an attack is a DDoS

How do you (very very quickly) determine that in fact, the attack is a DDoS, and not something else like a misconfiguration in the network?  Is there an easy way to determine that?

Brenner: When you’re dealing with configuration problems, it’s usually a slower, ongoing series of issues; not necessarily something that will knock out the performance of a whole site. If site performance takes a sudden nosedive or is ground to a halt, that’s usually a good indication that a DDoS attack is in play. The speed with which you can determine if it’s DDoS really goes back to having in place the four items I mentioned above. With that mix of technology and training, separating compatibility problems from attack traffic should be a quicker process.

3. Risks related to cyber threats and reputation

In a DDoS attack, multiple servers send simultaneous requests to the target’s web servers, with the intent of making them crash. Companies like Akamai help customers deflect unwanted traffic from their websites but how does the perception of risks related to cyber threats affect a brands’ reputation?

Brenner: It’s been said that time is money, and that’s certainly the case here. The longer a site is down from an attack, the more likely customers are to go elsewhere to do business. If you’re dealing with a one-off DDoS attack, customers tend to be forgiving and will return. If DDoS attacks are constant, customers will learn to take their money to another business. That’s why having a solid response plan is so important.

4. Defining secure computing

How would you define secure computing from both the IT and network administrative perspectives?

Brenner: In both cases, safe computing involves a workforce trained to be aware of threats, from phishing scams to best practices around passwords. I wouldn’t say there’s a one-size-fits-all approach because every company is different when it comes to the information they need to protect. But there are a lot of standard best practices that cover a wide range.

At Akamai, we give new hires security training on the first day, and that training involves a lot of regular follow-up. We cover everything from which instant messaging platforms to use or avoid when it involves work-related communications to knowing who our adversaries are and limiting the avenues by which they can access our proprietary information.

5. Cybercrime landscape

What will the cybercrime landscape look like in 2020? What will cybersecurity look like in 2020?

Brenner: In many ways the landscape will be the same. The bad guys will continue to use social engineering tricks to dupe people into downloading malicious code that can be used to open back doors for theft. What will be different is the technology most targeted. A decade ago attackers relied on attacks against operating system security holes. Today the targets tend to be the tools of social media like Twitter and Facebook. We’re starting to hear a lot of talk about the so-called Internet of Things and I think we’ll see many more concrete examples of a changing threat landscape as attackers begin targeting Internet-facing technology in everything from cars to household appliances.

As the scope and frequency of data breaches continue in an upward trajectory, it is more important than ever to get back to basic security fundamentals. While technical mitigation is a necessity, educating users within the enterprise that security is a mindset, not an exception, can also reduce these incidents.

Read the IBM research paper: Extortion by distributed denial of service attack

Contributor'photo

Mary Karnes

Offering Manager, Cloud Security Services, IBM Global Technology Services

Mary Karnes is a product manager with IBM Security Services and primarily focuses on services that help defend against...