Tuesday, November 25, 2014

DDoS attacks can happen at a moment’s notice. According to CRN, attacks have increased in frequency 82 percent since June 2011. They’re getting larger, too. Following are some best practices, both for preparing in advance and responding when you’re hit.

Conduct a company-wide DDoS risk assessment 


The first step in a good defense is to conduct an enterprise risk assessment. This allows you to assess the probability of a DDoS attack and identify your most likely targets. It also helps determine the impact of an attack and estimate the potential loss to your organization (downtime, e-commerce impact, connectivity, communications and other factors.) You can also better ensure that you invest in the right IT security and risk-reduction activities.

Create an action plan to respond to DDoS attacks

Once an attack occurs, it is too late to determine how to respond and what the next steps should be. An action plan documents how to prepare for an attack and what to do when one occurs. Your plan should include different severity levels and responder actions, depending on the attack’s impact. For example, you will respond differently to an attack that takes down the entire company, as opposed to a strike affecting only one web server.

Know your infrastructure components inside and out

It is important to know all resources and equipment on your network, along with the strengths and weaknesses of each component. Periodically test and document the protection capabilities of the equipment and the network as a whole. This will give you a better understanding of what kind of attacks you can withstand (such as a small attack originating from a single IP address), and if you need to outsource to protect against more complex attacks.

Understand ISP options for DDoS mitigation

It pays to communicate clearly with your internet service provider (ISP), particularly if it’s also affected by a DDoS attack. In some cases, an attack may be so large that it completely saturates your bandwidth, making any other countermeasures ineffective. In preparation for this, know the procedures for getting your ISP to intervene. In other words, plan and practice, repeatedly if possible, with your ISP’s help. The information should be easy to find and well documented. Understand your ISP’s options for defending against DDoS attacks and confirm your understanding of any Service Level Agreements (SLA). You will want to know, for example, if the SLAs give your ISP 24 hours to respond to attacks.

Implement general rules to help mitigate DDoS attacks.

There are some general rules to help defend against a DDoS attack. They should only be used as a guide, since they will not stop all attacks, especially some of the more complex varieties.
  • Turn down all unnecessary ports and protocols: If you are running a web server, and only utilize the TCP protocol over port 80, then implement Access Control List (link to glossary) entries to block all other ports and protocols from entering your network.
  • Implement an IP blacklist (link to glossary): Become familiar with trusted security related websites that have lists of IP addresses known for delivering malicious traffic. These IP addresses, or ranges, can be added to an IP blacklist so their traffic will never reach your infrastructure.
  • Block invalid and malformed packets (link to glossary): If you have the technology to do so, you should consider blocking invalid and malformed packets from entering your network. If you have a custom or proprietary application that sends legitimate malformed packets over the network, then you may need to consider other alternatives to handle this traffic, like outsourcing your security protection to a DDoS mitigation specialist.
  • Configure and harden network equipment: Recommended configuration settings, such as those from the Center for Information Security (CIS), can better protect your devices and network. Consider implementing them.

Conduct a post-attack analysis after a DDoS attack

While it’s crucial to have a plan in place to address a DDoS attack, it is equally important to perform a post-attack analysis. You’ll want to review the lessons learned and make any needed network improvements. Some attackers hit targets in waves, so don’t delay your post analysis. The next attack could be coming sooner than you think! Some of the items to consider: the type of attack that happened; which equipment helped you mitigate, even it was only partially successful; and what attack traffic had the most impact and why? This will lead you to consider if you need to purchase better equipment. If that’s not in the budget, you may want to think about out-sourcing to a security service provider.

Leverage monitored and managed services

Partnering with a managed security provider has real benefits. Such providers have deep experience in dealing with DDoS attacks and offer a wide array of equipment and resources. You can use their services on demand—for example, a DNS redirect service—or have them monitor your network 24/7 for signs of attacks. To mitigate the most complex attacks, you need costly equipment. A managed service offers it, when and if you need it.

0 comments:

Post a Comment