You've probably heard about distributed denial of service (DDoS) attacks, or maybe you've even been hit by one. If you're like most organizations, you've already been DDoSed. Perhaps the attack was minor, a wakeup call, but then the attack subsided without causing damage and you just left DDoS protection on your "to-do list."
If you don't have a DDoS attack plan, it's probably time to bump it up to the top of your list. That's because DDoS attacks are getting bigger, persistent and more harmful. They inflict serious cost in terms of lost revenue, damaged systems and lost consumer trust. DDoS is no longer just a Web server problem; infrastructure is now a target. The attacker's ambition is clear: Take down your online existence and harm your organization.
The attackers have a stash of attack methods from which to choose. Simple, low-cost DDoS toolkits and botnet-for-hire services that cost as little as $50 for an attack leave no online network, application, service, or website immune to danger. First and foremost is the volumetric or network level attack that tries to clog your pipeline to the Internet. Protocol attacks can succeed at consuming the resources of servers, routers, firewalls and even load balancers. Attackers can also launch application attacks that try to overload web servers by mimicking real users. These attacks can cripple a mid-sized website with as few as 50-100 requests per second.
So the question is: What can you do before an inevitable attack to ensure you have adequate defenses in place? Two things: (1) develop a plan and (2) adopt a DDoS mitigation solution.
Every organization should have a DDoS response plan in place so that when the inevitable attack occurs, response is swift, damage is minimal and your good reputation remains intact. Here are seven steps to building a DDoS response plan.
The first step is to identify the various people and departments within your organization who will be in charge of both planning and execution. Your team must fulfill a range of tasks-from identifying and mitigating an attack to coordinating with ISPs, notifying customers, communicating with the press, and minimizing potential reputation and liability issues.
The purpose of your response plan is to define various resources, tools and procedures required to minimize the risk and costs of a DDoS incident before it happens. It should include topics such as risk assessment, organizational roles and responsibilities and more.
In preparing your organization to deal with a DDoS incident, it's imperative to understand the scope of your risk. Which infrastructure assets need protection? What is the cost of a given asset becoming unavailable?
The cost of an extended outage can be measured in terms of lost revenue and resources required to recover an asset. This risk of an outage needs to be evaluated against the cost of implementing DDoS protection for the particular assets.
Another important part of risk assessment is the identification of single points of failure, such as your DNS server or routers and how to minimize potential issues related to them. For example, today many DDoS attacks are targeted against DNS servers-often an Achilles' heel of network security. Even if your online systems are protected, a successful attack against your DNS server can render it unavailable.
It's important to clearly communicate with your Internet service provider (ISP) as part of your DDoS response preparation. In large attacks that can completely strangle your bandwidth, your ISP has no choice but to intervene.
Massive DDoS attacks targeting one ISP customer can result in service degradation for all its other customers and may even result in service-level agreement (SLA) violations with respect to availability. In extreme cases, the ISP can pull the plug on your connectivity altogether.
Time to live (TTL) is the value determining how long a piece of data is valid. In the DNS world, TTL limits how long your current DNS settings are cached with ISPs. This means that if your website's TTL is set at three hours, other DNS servers won't bother checking for a DNS update for your domain over that duration.
If you're using an on-demand, DNS-based DDoS mitigation solution, your TTL needs to be lowered prior to experiencing a DDoS attack. A lower TTL equates to a faster reaction; this is the time it takes to get traffic routed through your DDoS solution.
If you're using an on-demand DDoS mitigation solution, you don't want to wait for an actual attack to discover whether everything is in working order. As time goes by, you introduce new websites and applications, and your DDoS protection provider periodically updates its systems. It's important to check the impact of these changes on your readiness. For testing purposes, you should turn on your DDoS mitigation measures for a two-hour period every three to four months or once a year at an absolute minimum. Test to certify your systems and applications continue to function properly, traffic continues to arrive and there is no negative impact on your users.
When it comes to selecting a DDoS protection solution, the good news is that there are many technologies, products and services available. The bad news is there are a lot of options to choose from, each representing a different approach. These options include homegrown solutions, cloud-based services and appliances deployed within the data center. There is not one right answer for everyone, as each type of IT setup requires a different DDoS solution.
Here are some key questions to ask as you think about your own requirements and evaluate a DDoS mitigation solution.
- Does the solution support automatic attack detection or does it require manual intervention?
- Does the solution scale on-demand to mitigate large attacks?
- In addition to network attacks, will the solution mitigate application attacks?
- Does the solution's time-to-mitigation match my business and operational needs?
- Can the solution distinguish between legitimate users and bots?
- How does it handle legitimate users when a DDoS attack occurs?
- Does the solution include a Web Application Firewall to protect Web applications?
- Will I always be protected by the solution?
- Do I need to engage it each time an attack occurs?
- Does the solution deployment model make sense for my architecture?
o DNS redirection for Web applications
o Individual IP address protection
o BGP routing for Class C infrastructure protection
o DNS proxy for DNS-targeted attacks
Malicious DDoS attacks have become a fact of life for almost all organizations, but a well organized plan and a DDoS mitigation solution will keep the attackers from causing you significant harm.