Maksim Kabakou - Fotolia
Any online business or application is vulnerable to distributed denial of service (DDoS) attacks, according to Harshil Parikh, director of security at software-as-a-service platform firm, Medallia.
It is important that such organisations take time and effort to build their DDoS defence capabilities, he said, because DDoS attacks are fairly easy and cheap for attackers to carry out.
“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” said Parikh.
“Competitors and even disgruntled employees are able to carry our DDoS attacks that can result in loss of reputation as well as lost business worth a lot more than the attacks cost,” he said.
While loss of service capability and loss of income are the greatest risks associated with DDoS, especially for software as a service (SaaS) providers, Parikh said DDoS is also often used as a distraction.
“Attackers commonly use a DDoS attack to distract security professionals from the fact data exfiltration or other malicious activity is being carried out at the same time,” said Parikh.
Read more about DDoS attacks
- Criminal activity has become the top motivation for DDoS attacks, as the average attack becomes strong enough to down most businesses – so taking no action is not an option.
- Average DDoS attacks fatal to most businesses, report reveals.
- There is a real concern that many companies are being affected by the DDoS attacks commissioned by competitors, according to Kaspersky Lab.
- Smaller DDoS attacks can be more dangerous than a powerful attack that knocks a company offline but does not install malware or steal data, warns Neustar.
There are three main types of DDoS attacks likely to face organisations. These are volumetric attacks, computational attacks and application logic attacks.
Volumetric DDoS attacks are the most common, and while they are the easiest to carry out, they are also the easiest to detect and mitigate, said Parikh.
Because volumetric attacks have been around the longest, Parikh said tools for identifying them are fairly mature and include Netflow and sFlow-based alerts, signature-based alerts, and resource utilisation metrics.
“Please note that alerting systems need to be in a separate datacentre to the one in which the systems being monitored are located because if they are the same location, the alerting system will be ineffective as it will also be affected by the same DDoS attack,” he said.
Computational DDoS attacks
Computational DDoS attacks focus on overwhelming the computing capacity of the targeted devices. Instead of saturating the pipes, these attacks saturate central processing units (CPUs) and firewall state tables, said Parikh.
“These attacks are becoming commercialised on the dark web and therefore more prevalent – especially where the transport layer security (TLS) or secure sockets layer (SSL) protocols are being used – because cryptography is fairly resource intensive, so all the attacker has to do is escalate that exhaust compute capacity,” he said.
Other attacks in this category include SYN floods, domain name system (DNS) floods hypertext transfer protocol (HTTP) floods, and ways to monitor them include signature-based alerts, CPU utilisation alerts and statistical anomaly based alerts.
“It is also important to train system administrators and members of the operations team how to identify and respond to the different types of DDoS attacks,” said Parikh.
Application logic attacks are typically specific to an application, and are the most difficult kind of DDoS attack to carry out – but they are also the most difficult to mitigate.
“Attackers have a lot of work to do in identifying applications and weaknesses in them to exploit, but once this is done, these attacks can be extremely effective. This is because they are difficult to identify due to often looking like quality issues,” he said.
These attacks can be monitored using threat, memory and CPU utilisation alerts, he said, again emphasising the importance of training system administrators, who can “play a vital role” in detecting and mitigating such attacks.
The most important thing for businesses to do, said Parikh, is understand their exposure through threat modelling.
“Once you understand your exposure, think about each risk and how to mitigate it – but there is no such thing as 100% protection, so the objective is to limit the impact,” he said.
It is also useful for businesses to identify capacity limitations of devices, to ensure they are logging the right events, that everyone in the incident response team knows what to do and to conduct regular tests of DDoS mitigation capabilities.
Testing DDoS mitigations
According to Parikh, few organisations do a good job when it comes to testing DDoS mitigations by running regular DDoS simulations. “It is very important to check all the mitigations you have put in place are working as intended,” he said.
It is also important not to think that having bandwidth capacity provides protection, said Parikh, because businesses also need the ability to filter out the bad traffic.
“Traffic scrubbers can be on-premise, in the cloud, or businesses can use a combination of the two, paying only for cloud services when a DDoS attack is underway,” he said.
Finally, he said organisations should not forget layer 7 (application layer) controls, especially if they provide SaaS applications or any other cloud platform.
“Integrate DDoS into your incident response plans, ensure everyone in the team knows what to do and who to call, and test, test, test,” said Parikh.