Cyber Risks: DDoS Attacks
Distributed denial-of-service (DDos) attacks are on the rise again, with cheap tools available to launch them and cybercrminals using DDoS as part of broader attacks.
In a DDoS attack, a cybercriminal overwhelms your Internet-facing resources with so many demands that they slow to a crawl or stop responding entirely. Defending against DDoS attacks often requires expert help, and we can connect you with the experts you need to prepare for and manage the attack.
The stages of an attack
Reconnaissance
Sophisticated attacks may start with social engineering in order to get information about an organization’s website set-up and resources, the size of the IT team, the capacity to pay a ransom, and other sensitive information.
Exploratory attacks
But in a typical attack, one cybercriminal starts with a limited DDoS attack against a web target. Then they engage in further larger attacks until they identify the attack size needed to make the target completely inaccessible. That cybercriminal may then continue or, more often, sell the details on the dark web for another cybercriminal to exploit later.
An organization may believe the attack was all over, while in fact another cybercriminal could purchase the attack details and launch it at any time. In some cases, it may be months or years before the attack occurs.
You should interpret consecutive and progressive DDOS attacks as a warning sign. Even if no significant DDoS attack happens or it happens for a short time, you should be prepared for worse.
The main attack
Attacks are typically motivated by money (for ransom) or simply the desire to harm (for political, activist, or competitive reasons), and may be timed to occur before a major event (such as Black Friday). Typically, the cybercriminal uses a network of compromised systems to generate the traffic involved in the attack. Social engineering may continue during such an attack, with cybercriminals posing as service providers who can assist with containment and recovery relating to the attack.
Broadly speaking, DDoS attacks are an attempt to bring down a system or a resource, by flooding it with excessive demands intended to consume the available bandwidth or exhaust an application server.
Possible phased attack
Sophisticated attacks may occur in stages intended to overwhelm the organization’s IT team. The cybercriminal may target the organization’s website, and then other website components such as login pages or contact forms, in order to disrupt the website. The attack may also serve as cover for other activity separate from the DDoS attack, such as targeting backups, stealing data, or launching ransomware.
Demand
The cybercriminal demands a ransom in order to stop the attack and allow the organization to recover. In attacks motivated by political or terrorist goals, however, disruption may be the sole goal, with no ransom demand.
How to protect against DDoS attacks
Understand and document your critical assets
Protection starts with an understanding of your Internet-facing systems and determining what needs to be protected.
Get help with network design and tuning
Many resources are available to help prevent DDoS attacks but they need to be set up properly and tested under stress. Load balancers spread network traffic to reduce overloads. Web application firewalls (WAFs) can restrict the types of traffic that go to application servers, while input validation can reject web requests that are intended to cause delays. Major cloud providers and expert vendors also offer specialized networks or infrastructure designed specifically to mitigate DDoS.
Understand and test the security functionality of your systems and software
Work with your Internet service provider (ISP) to understand what protections against DDoS they provide as part of your service. Consider a cloud security assessment to test for vulnerabilities in your cloud services.
Cloud-based DDoS mitigation service
Consider providers like Cloudflare or Akamai that offer DDoS protection for both network-layer and application-layer attacks. Reducing and controlling these attacks is much more efficient if that fallback infrastructure is set up ahead of time. We can help by making introductions with the right vendors before an incident occurs.
How to respond to a DDoS attack
When facing a DDoS attack, swift and strategic action is crucial. We encourage everyone to get in touch with our teams right away. If you are already working with our teams, you'll have an incident response plan that should be activated. This ensures all relevant team members are notified promptly and that all necessary steps are taken.
If you're going solo, implement traffic filtering mechanisms to mitigate the attack, such as deploying firewalls or using specialized DDoS mitigation services. Keep communication channels open with your internet service provider (ISP) to collaborate on filtering malicious traffic. Monitor the situation closely to adapt your defenses as the attack evolves. Finally, document all actions taken for post-incident analysis and future prevention strategies. Swift, coordinated response and adaptive defense mechanisms are key to minimizing the impact of a DDoS attack.
We can't stress the need for speed enough. If you're already a client, don't hesitate to contact us. If you're not, let's discuss IR planning and playbook development to make sure you have the steps outlined, and get you on an IR retainer to speed our ability to respond on your behalf.
Speed is critical in the event of a DDoS attack. Let's review your IRP or create playbooks specific to your industry and environment.