Feds Issue Guidance on Responding to and Reducing the Impact of DDoS Attacks
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently issued guidance for federal and private agencies on the prevention and mitigation of Distributed Denial of Service (DDoS) attacks.
These attacks are conducted to overload applications and websites with traffic, thus rendering them inaccessible and preventing legitimate users from accessing that service. A Denial of Service (DoS) attack causes a network resource overload that consumes all hardware, software, and bandwidth, protocol resource overloads consume the available session or connection resources, and application resource overloads use all compute or storage resources.
DDoS attacks are DoS attacks where the traffic comes from multiple devices that are acting together. They can involve huge amounts of traffic and have the potential to cause hardware damage. Botnets – slave armies of malware-infected devices – are commonly used to perform DDoS attacks at scale, and they have become far more common due to the huge increase in IoT devices. The botnets are often rented out to threat actors thus allowing unskilled individuals to conduct DDoS attacks.
These attacks may be short-lived; however, prolonged attacks can significantly disrupt critical services, resulting in extensive remediation costs and substantial reputational damage. These attacks are only concerned with causing disruption and do not involve access being gained to systems or data theft; however, cybercriminal groups are known to conduct DDoS attacks to distract IT teams while an attack is simultaneously conducted on another part of the network. With the attention of security teams focused elsewhere, there is less chance that data exfiltration, malware delivery, or ransomware deployment will be detected. It is therefore vital that any response to a DDoS attack does not result in other security monitoring being neglected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Preventing and Reducing the Impact of DDoS Attacks
The key to defending against DDoS attacks and reducing their severity is preparation. All critical assets and services that are exposed to the public Internet must be identified, with those applications and services prioritized. Web application firewalls should be implemented to protect the most critical assets, and cybersecurity best practices should be followed, such as hardening servers and patching promptly. Understanding how users connect to the services and identifying any chokepoints can make it easier to implement mitigations to prevent disruption to key staff.
Consider enrolling in a DDoS protection service, ideally, a dedicated DDoS protection service, as those provided by ISPs are not as robust and may not protect against larger attacks. These services allow the source of the attack to be identified and will reroute traffic elsewhere. Managed Service Providers may be able to assist and provide DDoS protection, including providing custom network edge defense services.
Take steps to avoid single points of failure, such as having a high-value asset hosted on a single node. Load balancing across multiple loads is recommended. It is also vital to develop an incident response plan specifically for DDoS attacks. All stakeholders should be aware of their responsibilities through all stages of an attack to ensure a rapid and efficient response is possible. You should also develop a business continuity plan to ensure that business operations can continue in the event of a prolonged attack, and tabletop exercises should be conducted to test those plans.
Steps to Take During an Attack
In the event of a suspected attack, such as when there is network latency, sluggish application performance, unusually high traffic, or the unavailability of websites, technical professionals should be contacted for assistance. Consult your ISP to determine if they have an outage, and learn about the nature of the attack, such as where the traffic is coming from and which applications are being targeted. This will allow you to implement targeted mitigations and work with service providers to get the attack blocked quickly.
While an attack may target a specific application, monitor other network assets, as they may be simultaneously attacked. Specific mitigations for dealing with DDoS attacks are detailed in the MS-ISAC Guide to DDoS Attacks.
Recovering from a DDoS Attack
After an attack, continue to monitor all network assets, learn from the response, and update your incident response plan accordingly to correct any aspects of the response plan that did not run smoothly. You should also ensure you proactively monitor your network and create a baseline of normal activity, as this will allow you to rapidly identify attacks in progress in the future.
