Search this website:


Five steps to prepare for a DDOS attack

By Sean Leach, Vice President of Technology for Verisign.

 

Date: 16 Sep 2013

As more people are realizing that in today’s cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if, the most common question I get asked is "What can I do to prepare?” I like to break it down into five key steps enterprises can take now to be prepared for a future attack:


1. Centralize Data Gathering and Understand Trends
This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations:
- 9:00 am - your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying "the site is down."
- 9:01 am - your CEO calls you screaming "why is the site down?!?!?!?!"
Hopefully, you can answer that question, but without proper metrics and data gathering you can't possibly hope to identify the root cause. It could be a network circuit down, data center failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It's critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up.
At minimum, the metrics you should gather include:
- Inbound and outbound bandwidth on all of your network circuits, peering connections, etc.
- Server metrics: CPU load, network and disk I/O, memory, etc.
- Top talkers: top sources and destinations of traffic by IP and port.
- If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually being requested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc.
All of these metrics (and there are many more I didn't cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it's a very complex attack where it might not be an obvious issue (e.g. it's easy to see when your network bandwidth is saturated, but when it's a botnet simulating clicking the "Add to Cart" button to overwhelm your database resources, that isn't as easy to spot; especially if you are trying to piece data from many disparate systems).


2. Define a Clear Escalation Path
Now that you have determined it really is a DDoS attack, what next? Do you know who to call to get your service back up and running? What tools do you have in place to block the malicious traffic? If you have purchased DDoS protection (very smart!), how do you get the system fired up? These are key questions that should be written down and answered BEFORE the attack hits. During an attack people are rarely calm and it's no fun trying to figure out an escalation path in the middle of the craziness. Do it before the attack hits so you can calmly execute your plan and get your site back up and running.
Note that this doesn't just mean "technical" contacts. You want to let the head of support and customer service know as well. You can bet customers will be calling in and there is nothing worse than to answer "weird, I didn't know our site was down" when a customer calls. You also want to let your CEO know (if he or she doesn’t already). Each business is different, so you should consider your situation and think of all the people who might want to know the website is down and add them to the list. An "outages" mailing list is a central place to report these items without you needing to remember who to send the info to every time.
If you do have a cloud-based DDoS protection service in place, make sure the group you have chosen internally to be the touch point with the provider has the up to date 24/7 hotline, email address to send capture files to, etc. The vendor should be one of the first calls you make to start the mitigation. You need to engage your mitigation provider immediately as they have done this many times before and will know what to do to get your site back up and running.


3. Use Layered Filtering
In the discussion on size vs. complexity of an attack, you need to be able to handle both the "big and dumb" types (a whole lot of requests that are generally easy to spot as malicious - often known as "network level") and "small and complex" (fewer requests, but extremely difficult to differentiate legitimate vs. malicious - commonly referred as "application level" or "layer 7" attacks). Some tools and techniques work (and scale) very well to mitigate against the "big and dumb" types, but fail miserably on the application attacks. On the other hand, some techniques that are required for application attacks have trouble scaling on the larger network attacks.
Recently, we have seen more of a third type of attack, "big and complex!" A combination of the two aforementioned attack types, these are big attacks where the traffic is really hard to identify as malicious or legitimate. With great technology and layered filtering (like the Verisign DDoS Protection Service offers) though, you are in a better position to handle any of these types of attacks.


4. Address Application and Configuration Issues
Not only are DDoS attacks really good at pinpointing bottlenecks in your network and security infrastructure, they are also amazing at identifying problems in your application; especially when it comes to performance tuning and configuration. If you haven't done proper application load testing (both before launch and every so often to check for any slowness that may have crept in) a DDoS attack may be the first time your website or application has really been stress-tested. You may find your database configuration is sub-optimal, or your Web server isn't configured for enough open connections. Whatever the issue, you will quickly see how well you have tuned your website. It's always a good idea to do load testing of your site on your schedule, not the attackers'.


5. Protect Your Domain Name System (DNS)
This is crucial and yet probably the most overlooked of all of the above recommendations. I can't tell you how many enterprises have spent millions of dollars on their Web hosting infrastructure (data centers, web servers, load balancers, database servers, etc.) but have only two low end DNS servers to handle all of their DNS traffic.


DNS is an extremely common target for DDoS attacks due to how critical the service is for Web availability (there are plenty of articles and examples of large Web properties going down due to DNS issues - often attack-related). If a customer can't resolve the IP address of your website (which is the job of DNS), it doesn't matter how much you have spent on your hosting, that customer is not getting to your site. Protecting your DNS as part of a good DDoS mitigation strategy is fundamental.
 



ShareThis

« Previous article

Next article »

Tags: Security

More Exclusive News

Know your enemy: Why it is important to think like a cyber attacker in order to keep your data secure

27 Apr 2015
By Erik Driehuis, VP EMEA, Digital Guardian.

Dedicated cloud platform brings stability to Attraction World

27 Apr 2015
Attraction World is one of the world’s leading theme park and attraction specialists, selling tickets to over 8,000 theme parks and attractions worldwide, including Alton Towers, Disneyland P...

Where are data centre techologies coming from and where are they going?

27 Apr 2015
The rush for new technologies to meet bandwidth demands in data centres is clear, but how and why is it happening? asks our regular contributor Willy Rietveld, from TE Connectivity (W.Rietveld@TE.com).

Five factors to consider when selecting your Cloud backup provider

27 Apr 2015
By Paul Evans, Managing Director of Redstor.

Cloud, new and improved

27 Apr 2015
More and more organisations deploy their own private cloud to increase data security, flexibility and efficiency. By Mark Young, Director of Systems Engineering EMEA, Tintri.

The story behind Software Defined Storage

27 Apr 2015
By David Ellis, CTO and Senior Director Services – EMEA at Arrow ECS EMEA.

Ten things you didn’t know about rack PDUs

20 Apr 2015
Do you want to accurately monitor and control energy usage in your IT installation? Do you want to enhance the reliability and availability of your IT systems? Do you want to cut cooling, administr...

Black Hole Routing does not equate to DDoS protection

20 Apr 2015
By Stephen Gates, Chief Security Evangelist for Corero Network Security.

Easynet delivers proactive service to a global customer base with streamlined patch management

20 Apr 2015
Easynet works with Shavlik in rolling out a centralised patch management solution for its global cloud services business.

DevSecOps: Taking a DevOps approach to security

20 Apr 2015
By James Brown, Director, Cloud Solutions Architecture.

The avalanche of data and exploding costs in the data centre

20 Apr 2015
How data virtualisation influences the overall performance of a data centre By Ash Ashutosh, CEO, Actifio.

Software-defined application services take data centres into new era

20 Apr 2015
By Gary Newe, F5 Networks.

Data security - top tips for senior managers

13 Apr 2015
Ian Kilpatrick, chairman Wick Hill Group, explains why senior managers now need to be more involved in data security and offers his top tips.

NHS Dumfries and Galloway adopts a proactive approach to safeguarding patient data

13 Apr 2015
Guarding against security threats with a state-of-the-art vulnerability management solution.

Making OpenStack enterprise ready with software defined availability

13 Apr 2015
By Jason Andersen, Senior Director, Product Management and Marketing at Stratus Technologies.

Recruitment

Latest IT jobs from leading companies.

 

Click here for full listings»