How to prepare for and mitigate DDoS attacks
It's painfully clear that distributed denial-of-service attacks aren't going away. DDoS attacks are getting easier to execute with more computers and devices, increased computing power, and better connectivity.
"It's eliminating the availability of a critical service," explains Drew Simonis, vice president and deputy chief information security officer at Hewlett Packard Enterprise. "You've got something that you need to do or you need to access, and people use technical or other means to prevent you from doing that."
DDoS attacks can overload and disrupt websites or back-end systems, potentially costing millions of dollars per minute of downtime.
"As best you can do, you can limit the damage, but you're never going to stop it," says Simonis. "So you'll need to figure out how you're going to operate in a degraded environment."
What are the latest trends for DDoS attacks in the COVID-19 pandemic?
During the beginning of the COVID-19 outbreak, the U.S. Health and Human Services Department suffered a cyberattack that involved "overloading the HHS servers with millions of hits over several hours," according to a Bloomberg cybersecurity article.
COVID-19 has not only forced organizations worldwide to adapt and adjust their cybersecurity strategies, but it has also forced nearly every person on the planet to change their behaviors and lifestyles. DDoS attacks have evolved for these changes, too, making defending against these attacks even more difficult.
"When working from a home location or a mobile location, it presents a lot of security risks for companies," says Dr. Larry Ponemon, chairman of the Ponemon Institute. "Getting people to work effectively in a secure environment can sometimes be almost impossible. But security has to evolve and change to replace the security protocols that exist in those environments."
Not only have home networks and mobile devices become sources of vulnerabilities for DDoS attacks, but the Internet of Things (IoT) and connected devices have also increased the number of potential targets.
"It could be a medical device, your laptop computer, a closed-circuit television system, or physical security. It could be just about anything," says Ponemon. "And these things are connected to the Internet. And as a result, they potentially pose a big threat to organizations."
Easier targets mean easier, more cost-efficient disruption. "A lot of the bad guys realize getting into the data center is potentially more difficult than just buying a kit," says Ponemon. "And it's getting even worse because the bad guys have some serious money that they can make by committing a denial-of-service attack."
With more people attending virtual meetings, events, and classes, cyberattackers have become more motivated to disrupt those activities.
"I told school districts that's actually something you'll see as kids get more involved in Bitcoin and that economy. They may decide to take your network down to prevent a test day or something like that," says James Morrison, distinguished technologist at HPE. "You used to pull a fire alarm and disrupt things by doing that. But it's now a possibility to use that kind of underground economy."
What is the impact on systems, processes, and technologies from DDoS attacks?
DDoS attacks impact systems, processes, and technologies, going far beyond taking down a network or website.
"When we think about a denial-of-service attack, the typical attack is basically the bad guys bringing down a system of good guys' companies," says Ponemon. "And while that's happening, they're committing all sorts of crimes within the network or even outside the network. And so it becomes like a smokescreen for the attack, which can be very costly in terms of potential exfiltration of information about customers, clients, or the government."
"You would think it would be an easy fix, but it really isn't because data centers are changing. Technology is changing. Different security protocols exist today that didn't exist back then," adds Ponemon.
According to the Cybersecurity and Infrastructure Security Agency, symptoms of DDoS attacks include:
- Unusually slow network performance (opening files or accessing websites)
- Unavailability of a particular website
- An inability to access any website
When a service goes down because of a DDoS attack, customers may leave and never come back—hurting the bottom line of companies.
"With the Amazon effect, we expect two things: We expect that website to be up every time we click on it, and number two, we expect them to have availability for whatever product we want," Morrison says.
"Even if I'm in a service environment like a healthcare organization, if I'm clicking to get the results of my lab and I can't access the site, I'm going to get irritated and take my business elsewhere," he adds. "And so it's the same idea that we have to really understand that DDoS insurance is just something that we have to have. And if your provider doesn't provide it, maybe it's time to go to another provider or partner."
What is the toll on CISOs from DDoS attacks?The increasing frequency and complexity of DDoS attacks have put CISOs and their organizations in challenging and costly situations.
"With DDoS attacks, it's really hard to prevent them because all it is in many cases is just an overwhelming volume of traffic directed in your general area," says Simonis. "And you're not in the business of stopping traffic. You want customers to visit your website. You want partners to be able to transact with you. You want all that activity to happen. It's just that when it comes flooding in that it's just something hard to predict, control, and really hard to stop."
Leaders of organizations need to create a culture of solid governance to ensure proper mitigation technologies and strategies are in place for DDoS attacks.
"Many companies have the technology, but they don't necessarily have the right people in place or the right governance infrastructure so that their organization is managing the effectiveness of security protocols in ways that are meaningful to the individual employee, management, as well as board members in a publicly traded company," says Ponemon.
"So governance is thinking about the process of security," he adds. "Security is a business process, which means that you're not just buying the best encryption technology. It means that you're building an infrastructure that is both cost efficient, secure, and doesn't diminish an organization's ability to innovate with new technologies."
How should organizations prepare for and mitigate DDoS attacks?
Organizations should take a three-pronged approach to prepare for and mitigate DDoS attacks:
- Conduct a business continuity assessment.
- Ensure you have a protection plan in place.
- Prepare a contingency plan.
Conduct a business continuity assessment
"Know what your critical services are," says Simonis. "Understand the level of criticality that goes with those, as well as understand how those services are delivered to the consumer―whether this is the difference between ransom-type attacks or network flood-type attacks―and which ones are most likely to occur."
Morrison recommends asking the following questions as part of the security evaluation:
- Do we have a complete and detailed inventory of our servers, firewalls, and routers?
- What's the configuration of our network?
- What are the details of our web servers, including who is hosting them and on what software?
- How much of our revenue comes through that portal?
Ensure you have a protection plan in place
"Make sure that you have the protections in place before you need them," says Simonis. "It's not good to call your telco or your ISP in the middle of a service attack and ask them, 'What kind of rate-limiting and filtering capabilities do you have?' It's good to know and anticipate those threats and have the capability in place pre-positioned."
"The first thing is working with your Internet provider, which will probably be the first group that recognizes the attack is coming," says Morrison. "They probably have different levels of mitigation. One could be to drop it into a sinkhole, do packet analysis, and then allow some other traffic to go forward. Maybe it's having a secondary IP address that you can reroute to. It could be load balancing or duplicate Internet-facing devices that load balance."
Prepare a contingency plan
"Have a fallback plan that allows you to resume business, because even in the best case, you're going to see a reduction in availability," says Simonis. "Sooner or later, there's a bottleneck in the path between your customer and yourself. And that bottleneck, no matter how good the filtering or limiting is, it's going to get pressured. So, even if most of your customer traffic is coming through, maybe it's slower and your transactions aren't happening quickly enough. And there's going to be customer impact from that.
"So have a contingency plan that just assumes things aren't going to be good," adds Simonis. "Have a way to communicate that to your customer, have a way to do alternative processing, and have a backup system in place that allows you to maintain some level of continuity, even if it's degraded in some way."
DDoS attacks: Lessons for leaders
- Make sure to have the right people in place and the right governance infrastructure for the security and innovation needed to defend against DDoS attacks.
- Conduct a thorough business continuity assessment along with a security evaluation to ensure you have the proper protections for DDoS attacks.
- Prepare a contingency plan so that you're able to maintain some level of continuity in a degraded environment.
"As best you can do, you can limit the damage, but you're never going to stop it. So you'll need to figure out how you're going to operate in a degraded environment."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.