Are You Prepared for DDoS? (Not A Checklist)

DDoS attack checklist
Kevin Whalen

In the 13th Annual Worldwide Infrastructure Security Report (WISR) from NETSCOUT Arbor, survey respondents were asked to identify the security measures they had in place against DDoS attacks. Among enterprise respondents, 82% identified firewalls and 57% had intrusion detection/prevention systems (IDS/IPS). In contrast, only 28% had Intelligent DDoS Mitigation Systems.

Firewalls and IDS/IPS certainly have their place in the security arsenal. They are the first line of defense against attacks whose purpose is, for example, to identity theft or industrial espionage. But on their own, they are inadequate against attacks intended to deny service. In fact, they are often the first targets of DDoS attacks seeking to compromise network infrastructure.

Security decisions often reflect a “check-the-box” approach: what tools do we need to have? And perimeter defenses like firewalls usually rank high on the must-have checklist. Often this approach is driven by compliance concerns: what do the regulators say we must have?  All too often, organizations then lull themselves into believing that if they are compliant, they are secure. They have checked all the boxes.

Instead of checking off a list of solutions, enterprises need to assess where they stand on the continuum of risk posed by DDoS threats. In other words, “What are the DDoS risks we face, and are we prepared to meet them?” Here are some likely answers:

Volumetric DDoS attacks: This type of DDoS attack seeks to consume the bandwidth either within the target or between the target and the rest of the internet. It achieves its objective of blocking access to and delivery of services through overwhelming force. Such attacks are increasing in size – the 1+ terabit attack is becoming the new reality. Defending against them requires a mitigation solution of comparable capacity, which because of its sheer size typically resides in the cloud.

TCP State Exhaustion attacks:  These attacks attempt to consume the connection state tables present in many infrastructure components, such as load-balancers, firewalls and application servers. Even high capacity devices capable of maintaining millions of connections can be taken down by these attacks.

Application layer attacks: These attacks go after specific applications or services residing at Layer-7, also known as the application layer. These are particularly insidious because they can be very effective with as few as one attacking machine generating a low traffic rate, which makes them very difficult to detect and mitigate. Defending against them requires a device that can distinguish between legitimate data traffic coming into a network and cleverly disguised threats – no easy task as traffic volume and speeds accelerate.

Multi-layer, multi-vector attacks: DDoS attacks are increasingly employing some combination or variants of these three attack categories in a single sustained attack. This has the effect of confusing and diverting defenses. A recent reported attack on Chile’s largest bank put some 9,500 servers and workstations out of commission – a major disruption in and of itself, but it turned out to be merely a diversion that allowed the attackers to achieve their real objective: siphoning $10 million out of the bank via the SWIFT network.

Outbound attacks from within: Sophisticated attackers are turning the tables on defenders and planting malware in enterprise networks that can be used to launch attacks on both internal and external targets. Bad actors especially favor Internet of Things (IoT) devices as a way to worm their way into enterprise networks. IoT botnets have figured prominently in recent large attacks.

Emerging threats: As if all these threats were not enough, new ones keep springing up on the global threat landscape. Staying ahead of them requires a global threat intelligence capability.

A strong defense posture calls for protection against all these types of threats. Ignoring any one leaves you exposed at some point along the risk continuum. A hybrid or layered defense combining cloud-based and on-premise detection and mitigation, informed by global threat intelligence alerts and powered by automation, is widely considered best practice.

A security professional might look at all the risks and what it takes to mitigate them, and think, “We don’t have the budget, and we don’t have the bandwidth.” That is where the managed DDoS service option comes in – outsourcing to a provider that has already made the investment in technology and professional expertise to mitigate any type of attack. It saves money, amplifies in-house resources, and reduces risks. And it renders the security checklist obsolete.