DDoS: Are You Prepared?

government websites and systems were taken offline due to DDoS in response to bill C-51 which aimed to enact of a number of measures aimed at banning promotion of terrorism and expanding the power of the Canadian Security Intelligence Service (CSIS). 

What you should do about it 

It is essential that IT leaders prepare their organizations for this threat. The goal for any organization should be to invest the right amount of time and money into protections to manage risk appropriately. Too little investment and we leave ourselves vulnerable to unacceptable loss due to attack, but too much investment means that we’re stealing the resources from other critical risks. These four steps provide a framework for protecting your organization. 

Business impact analysis (BIA). The goal of BIA is to survey the corporate resources that could be attacked from outside and determine what impact to your company would be if they were taken off-line. At the very least, come up with a relative impact rating, to help you determine which resources are most critical to your organization. 

Be careful not to overlook supportive systems. Your customer-facing website may be the highest profile resource, but there are likely other resources required to maintain that website. VPN concentrators, DNS servers, and load balancers are just some of the infrastructure components that may be essential for the customer-facing site to function, and could be targeted by attackers.  

Assign recovery time objectives (RTO). RTO quantifies how long your business is willing to go without this resource. It gives you success criteria by which to evaluate your DDoS protection controls. The lower the RTO the more controls you will need to put in place to protect the resources, so making the decision to give everything an RTO of 0 is not only extremely expensive, it’s also impractical. The assignment of RTOs should be performed in coordination with the company’s executive team. This will ensure the RTOs align with the senior leadership’s desires and may make it easier when you request budget for DDoS controls. 

Implement solutions. Next you should design and implement solutions which facilitate achieving those RTOs. Effective DDoS mitigation solutions require people, process and technology wrapped together. Purely technical solutions are unlikely to be sufficient. Some DDoS mitigation technologies impact performance or usability of the services they are protecting so should not be enabled at all times. Many third party scrubbing solutions charge based on the volume of data send through their environment, so an always-on approach gets expensive very quickly.  

Consider a tiered approach to DDoS mitigation. 

1. On the simplest end, look at DDoS protection options built into your firewall, web application firewall or other networking equipment. These can help with some of the simplest attacks. 

2.  Generally appliances are much more effective than the defenses built into your existing network gear. While on-network protections are essential for continuous protection, they can only do so much. A large scale DDoS can easily overwhelm your internet pipe and make your resources unavailable. 

3. For the largest attacks it makes sense to partner with a third party scrubbing company. In the event of a volumetric attack you can swing your traffic to the third party. These companies have huge internet connections that can take the attack traffic, filter out the bad, and send the clean data to you. 

Whichever technical solutions you choose, be sure to wrap the appropriate personnel and processes around them. Employees need to know how to recognize an attack, how to enable any protections that aren’t always on, and how to restore the environment to normal operations. 

Test your solutions. Optimally, try to perform a series of tests, starting with small discrete tests that focus on validating specific parts of your tiered approach. Discrete tests could include: 

• Do your firewall’s controls successfully prevent SYN flood attacks? 

• Does your on-site DDoS appliance successfully prevent low volume attacks? 

•·Can you determine whether resource performance issues are benign anomalous behavior or indicate an ongoing attack? 

• Is your staff able to respond to attacks and route traffic to your third party scrubbing service quickly enough to support your RTO? 

• Is your scrubbing vendor able to mitigate high volume attacks and provide a clean stream of data to your infrastructure? 

After validating the individual components of the program, the next step is a comprehensive testing strategy. In this step you will need more experienced testers, and will probably want to engage an experienced external firm. A qualified third party can help evaluate all the ploys an attacker may launch, providing your organization with another set of eyes. 

The results of the testing can fit directly into your continuous improvement process, allowing you to tweak and improve your DDoS controls over time, better mitigating the risks to your organization. 

 Conclusion 

The trend is clear: DDoS attacks have become a favorite implement in the hackers’ toolbox. The best time to create your DDoS mitigation plan is now, before attackers have knocked your systems off-line. While you cannot eliminate this risk entirely, you can give yourself a fighting chance by: 

1. Understanding the changing landscape, 
2. Inventorying your own company’s internet accessible resources,  
3. Implementing solutions to appropriately protect them, and  
4. Testing your people, processes and technologies.