A DDoS (Distributed Denial of Service) attack can cripple your business’s ability to operate. Denial of service is simply sending enough illegitimate traffic to a designated target to consume all the targets’ resources so that legitimate traffic cannot reach the target. Distributed denial of service is the same attack, but coming from multiple sources. In most cases distributed denial of services attacks are carried out by bot nets. Bot nets are computers an attacker has infiltrated, in almost all cases home personal computers, by placing an agent on the computer the attacker can control for the purposes of being part of an attack. Bot nets can number in the thousands.
Here is the scenario how a DDoS attack takes place:
- Attacker sends commands to all the various computers where he/she has an agent
- The computers simultaneously send large ICMP or ping packets to the target
- The target resources (see below for typical targets) has to handle all the traffic coming in
- The target’s resources or network resources in protecting it (i.e. the firewall) are maxed out and cannot process any more traffic or the connection to the Internet is saturated. To a regular user, the resource appears down or unavailable.
Typical Targets of a DDoS Attack
Typical targets are corporate or government websites that attackers or organizations want to take offline. The sites can be big or small. The reasons can be political, retaliation for enacted policies, or just because someone decided they had nothing better to do.
Tips for Prevention
There is no preventing a DDoS attack unless you are Amazon or some like entity that has an enormous amount of bandwidth and resources available. The best prevention is to have tools in place to detect an attack and a plan to mitigate the attack. Alternatively, consider using a large content delivery network (CDN) for important web sites that has large capacity to filter out unwanted traffic. Additionally, there are companies with large amounts of bandwidth that can filter out all traffic to a corporate network as needed or on a full-time basis. These latter solutions are not cheap but should be considered if the cost of being down for any length of time is prohibitive. Finally, there are products emerging that can detect the attacks and the source IP addresses. These devices can work with various carriers to report the source IP addresses and block them from coming down your Internet connection or prevent them from entering the carrier’s network.
One of the best tools a corporation can have is a syslog server or some means to collect log files from the network endpoints. They can provide valuable data about the attack.
Tips for What to do During a DDoS Attack
If you are under attack, the best advice is not to panic. If you have a plan in place to leverage a company to filter out unwanted traffic then activate it and within minutes the attack should be mitigated. If you do not have a plan or a contracted resource to filter out traffic, contact your data carrier and they may be able to filter out the attacking IP addresses if only a few sources of attack. They should be willing to help because if it is affecting you then it is potentially having an impact on them as well.
If the attack affects your customers, be sure to have the means to send them an email from a source outside the network being attacked. For example, email hosted by Office 365 or Google or have a campaign email solution like MailChimp should be ready to go with a list of all customers. Send them an email to notify them what is going on with an incident report to follow. If possible, record a message on your phone system to play a message when a user calls in. Communication is key to let affected parties know, proactively, that you have the situation under control. Everyone knows attacks are possible and a part of the Internet life. If you demonstrate that you are aware attacks are happening and are implementing a plan customers are less likely to be concerned about your security.
The Attack is Over, Now What?
A DDoS attack is a serious event that no company wants to have to endure. However, the higher the profile the more likely it is to be attacked. There are several things to be done after an attack. Here are a few questions to have answered:
- What was the attack target?
- How was the attack carried out?
- Did any third-party vendors execute as expected?
- How long was the target or network down?
Regardless if an attack occurs or not IT departments should perform an annual review of their DDoS protection plan and analysis of third-party solutions. They should also work with other departments to analyze the cost of being down due to an attack. This information will help guide organizations to determine the appropriate solutions for potential future attacks. Ultimately, being prepared is the best weapon against DDoS.