ake78 (3D & photo) - Fotolia

Any online business a target of DDoS attacks

Any business that is online is susceptible to denial of service attacks and should ensure it has the capability to mitigate such attacks, says an industry practitioner who explains how

Any online business or application is vulnerable to distributed denial of service (DDoS) attacks, according to Harshil Parikh, director of security at software-as-a-service platform firm, Medallia.

However, there are ways of detecting and mitigating DDoS attacks that any business dependent on the internet can and should use, he told the Isaca CSX Europe 2017 conference in London.

It is important that such organisations take time and effort to build their DDoS defence capabilities, he said, because DDoS attacks are fairly easy and cheap for attackers to carry out.

“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” said Parikh.

“Competitors and even disgruntled employees are able to carry our DDoS attacks that can result in loss of reputation as well as lost business worth a lot more than the attacks cost,” he said.

While loss of service capability and loss of income are the greatest risks associated with DDoS, especially for SaaS providers, Parikh said DDoS is also often used as a distraction.

“Attackers commonly use a DDoS attack to distract security professionals from the fact that data exfiltration or other malicious activity is being carried out at the same time,” said Parikh.

Read more about DDoS attacks

There are three main types of DDoS attacks that are likely to face organisations. These are volumetric attacks, computational attacks and application logic attacks.

Volumetric DDoS attacks are the most common, and while they are the easiest to carry out, they are also the easiest to detect and mitigate, said Parikh.

These are typically user datagram protocol (UDP) floods, internet control message protocol (ICMP) floods, and UDP amplification attacks.

Because volumetric attacks have been around the longest, Parikh said tools for identifying them are fairly mature and include Netflow and sFlow-based alerts, signature-based alerts, and resource utilisation metrics.

“Please note that alerting systems need to be in a separate datacentre to the one in which the systems being monitored are located because if they are the same location, the alerting system will be ineffective as it will also be affected by the same DDoS attack,” he said.

Computational DDoS attacks

Computational DDoS attacks focus on overwhelming the computing capacity of the targeted devices. Instead of saturating the pipes, these attacks saturate central processing units (CPUs) and firewall state tables, said Parikh.

“These attacks are becoming commercialised on the dark web and therefore more prevalent, especially where the transport layer security (TLS) or secure sockets layer (SSL) protocols are being used because cryptography is fairly resource intensive, so all the attacker has to do is to escalate that exhaust compute capacity,” he said.

Other attacks in this category include SYN floods, DNS floods HTTP  floods, and ways to monitor them include signature-based alerts, CPU utilisation alerts, and statistical anomaly based alerts.

“It is also important to train system administrators and members of the operations team how to identify and respond to the different types of DDoS attacks,” said Parikh.

Application logic attacks are typically specific to an application, they are the most difficult kind of DDoS attack to carry out, but they are also the most difficult to mitigate.

“Attackers have a lot of work to do in identifying applications and weaknesses in them to exploit, but once this is done, these attacks can be extremely effective because they are difficult to identify as they often look like quality issues,” said Parikh.

Utilisation alerts

These attacks can be monitored using threat, memory and CPU utilisation alerts, he said, again emphasising the importance of training system administrators, who can “play a vital role” in detecting and mitigating such attacks.

The most important thing for businesses to do, said Parikh, is to understand their exposure through threat modelling.

“Once you understand your exposure, think about each risk and how to mitigate it, but there is no such thing as 100% protection, so the objective is to limit the impact,” he said.

It is also useful for businesses to identify capacity limitations of devices, to ensure they are logging the right events, to ensure that everyone in the incident response team knows what to do, and to conduct regular tests of DDoS mitigation capabilities.

Testing DDoS mitigations

According to Parikh, few organisations do a good job when it comes to testing DDoS mitigations by running regular DDoS simulations. “It is very important to check that all the mitigations you have put in place are working as intended,” he said.

It is also important not to think that having bandwidth capacity provides protection, said Parikh, because businesses also need the ability to filter out the bad traffic.

“Traffic scrubbers can be on-premise, in the cloud, or businesses can use a combination of the two, paying only for cloud services when a DDoS attack is underway,” he said.

Finally, he said organisations should not forget layer 7 (application layer) controls, especially if they provide SaaS applications or any other cloud platform.

“Integrate DDoS into your incident response plans, ensure everyone in the team knows what to do and who to call, and test, test, test,” said Parikh.

Read more on Hackers and cybercrime prevention