Distributed Denial of Service attack: Prevention and best practices
As one of the easiest attacks to launch and often devastatingly effective, a distributed denial of service (DDoS) attack is one of the most common threats in today’s cybersecurity landscape. In simple terms, a DDoS attack seeks to disrupt a target’s connectivity or user services by flooding its network with an overwhelming volume of fraudulent traffic, typically through a botnet.
The damage from a DDoS attack can be devastating. In one recent survey, 98 percent of respondents reported costs of more than $100,000 for each hour of downtime, while over one-third estimated costs in excess of $1 million. The average DDoS attack causes $218,000 in direct damage (around £179,601), in addition to any accompanying extortion, data theft, business disruption, or harm to the victim’s reputation and business and customer relationships.
Without an effective DDoS attack prevention strategy, complemented with DDoS protection solutions and threat intelligence, organizations are at significant risk. To reduce the risk of a devastating DDoS attack, businesses should adhere to the following five steps as the foundation of an effective DDoS attack prevention strategy:
1. Know What to Watch for
To detect whether a DDoS attack is underway before it’s too late, businesses need to know what normal network traffic looks like. By creating a baseline of usual traffic patterns, they can more easily identify the symptoms of a DDoS attack, such as inexplicably slow network performance, spotty connectivity, intermittent web crashes, unusual traffic sources, or a surge of spam.
Vigilant monitoring is critical, including both network and application traffic; even a small anomaly can signal a test by cybercriminals in advance of a larger attack. The sooner an attack is detected, the more quickly and effectively a DDoS attack mitigation plan can be implemented. At the same time, it’s critical to minimize false positives in order to avoid unnecessary operational disruptions.
2. Make a Denial of Service Response Plan
When it has been determined that a likely DDoS attack is underway, organizations need to be able to respond quickly and efficiently. Detailed planning will avoid the need to improvise under pressure. This should include:
- A checklist of systems, assets, and advanced threat detection tools
- A defined response team with the DDoS attack mitigation competencies
- Procedures to maintain business operations for the duration of the attack
- Protocols for incident notification and escalation
- A communications plan covering both employees and external stakeholders such as customers and partners and the media
3. Ensure a Resilient Infrastructure
Given the high likelihood of an attempted DDoS attack at some point, organizations should take steps to minimize the impact of a successful denial of service. Designing network and systems to accommodate excess traffic -- from 2 – 5x the anticipated baseline need -- can help absorb an attack for long enough to mount a response. Distributing resources can limit the reach of an attack, such as by putting servers in different data centers, and putting data centers on different networks and in different physical locations.
Redundant devices and high-availability architecture can increase the speed of system restoration following a DDoS attack (note that they should be launched only after an attack has concluded to avoid exposing them to an ongoing attack). Avoid or harden bottlenecks and single points of failure that can be especially vulnerable to a traffic flood.
4. Take Refuge in the Cloud
The cloud offers a few possibilities to reduce the risk of a DDoS attack. Migrating assets to the cloud is one approach; cloud providers have far more bandwidth than the typical enterprise, and the distributed nature of the cloud can aid resiliency. If one server is crashed by a DDoS attack, others will continue operating; similarly, secure data backups in the cloud can aid rapid recovery in the event of system corruption.
On the other hand, multi-tenant cloud environments can bring risks of their own. A cloud, hosting, or colocation provider who detects a DDoS attack on one customer might shut down all their traffic in order to prevent spill over impacts on other customers, leaving the company unable to make a more surgical response to preserve some services.
At the same time, an attack on another cloud provider customer might impact your company even if you’re not the original target. Therefore, it’s important to work with cloud, hosting, and colocation providers who offer DDoS protection as a service for their customers.
5. Deploy DDoS Protection Solutions and Threat Intelligence
DDoS attack prevention depends on a multi-layered strategy of best practices, tools, and threat intelligence. Anti-DDoS solutions should include capabilities for traffic monitoring, real-time threat detection, anomalous behavior blocking, zero-day attack pattern recognition, DDoS scrubbing, and automated response.
Threat intelligence is essential to enrich DDoS tools with timely data about current DDoS activity and trends, including the IP addresses of DDoS botnets and vulnerable servers known to be associated with DDoS attacks. Leveraged in conjunction with real-time threat detection, AI/ML capabilities, and automated signature extraction, threat intelligence enables organizations to take a proactive approach to DDoS attack mitigation.
In summary, whilst the threat and potential of DDoS attacks are rising, there are strategies organizations can implement to ensure heightened security. By verifying a baseline of normal activity, any abnormalities can be monitored and addressed. Cloud environments will ensure less downtime with reliable infrastructure acting as a key defense.
Ultimately, organizations should shore-up their overall defenses. Strategically deploying DDoS mitigation services, in conjunction with real-time threat detection, can enhance a business’s rapid response to an attack, eliminating downtime and reducing financial loss.
Adrian Taylor is VP of EMEA at A10 Networks