4 ways to prepare for and fend off DDoS attacks
Cyber attacks of all kinds are on the rise. It is a trend you ignore at your own peril. National Security Agency and U.S. cyber-command chief Keith Alexander said in July that Internet attacks of all sorts surged 44 percent in 2011 and are responsible for what he terms the "greatest transfer of wealth in history."
In a world where you can rent an already-hacked botnet for about $20to start your attack, and in a world where a criminal enterprise industry has developed to support amplifying attacks in progress, it is important to understand that these types of attacks are simply not going away. Are you ready for them? Are you considering the right points? Here are four strategies to help your organization prepare for and defend against Distributed Denial of Service (DDoS) events in the future.
1. Consider over-provisioning a service in advance
Most of us develop systems on strict budgets. There is a general resistance among financial types as well as information executives to not pay for unused capacity. This makes good sense in and of itself—why waste your dollars on capacity, either bandwidth or compute, that you are not using? Many companies scale their systems to match a predictable but legitimate peak, such as Black Friday, Cyber Monday or another annual peak load.
In a DDoS attack, however, your site or resource can experience loads many times greater than even your highest peak activity—on the order of 10 or 20 times, if not more. Mind you, I'm not suggesting you budget capacity to pay hackers to blast your network with packets. While you are specing bandwidth and compute resources, though, it makes sense to give yourself a healthy margin of error, even on top of your peak.
With the advent of cloud computing, this has become easier. In most cases, it's simple to spin up additional resources to either meet legitimate demand or ensure access to your services in the event your primary hosting site is under attack. Internet service providers and other providers are also usually quick to offer burst capabilities with their contracts. This way, you can access an assured, ready additional amount of capacity in the event you need it while not necessarily paying full price for it during those times when your load doesn't demand it.
2. Don't be bashful about asking for help
Many companies and businesses specialize in assisting customers before, during and after a cyber attack—and they serve all levels of clients. Akamai Technologies, Level 3 Communications and Limelight Networks, for example, all serve large customers with highly trafficked sites, but their rates begin north of $10,000 per month just for a basic level of assistance. On the other hand, startups such as CloudFlare offer to take onto themselves the load of distributing your site across multiple datacenters. They then engage in detection and mitigation services without involving your team. CEO Matthew Prince says CloudFlare datacenters see "more traffic than Amazon, Wikipedia, Zynga, Twitter, Bing and AOL combined." If true, this certainly puts the company in the first tier of network experience and engagement.
With attacks increasing yearly and with no relief in sight, it's important to engage a firm that meets your needs and get its assistance before an event. DDoS attacks are an expensive problem, but now a day's defense against them is becoming simply a price of doing business on the Web. After all, consider the revenue loss if your site were to become unavailable to the Internet. Every minute your page can't be reached, dollars destined for your company's coffers spill away to other businesses. The protection should seem justified when you think about it that way.
3. During a DDOS attack, be quick to dump log files
As network capacity increases, attacks become cheaper to mount, so attackers can scale the severity of their activities quite easily. According to Alex Caro, CTO and vice president of services for Asia Pacific and Japan for Akamai, "the biggest attack that we've seen is around 150 Gbps, and we expect much larger attacks in the future."
As you can imagine, at that level logging explodes—on your servers themselves, as well as on the attendant devices that care for and feed your network. Firewalls, unified threat monitoring devices, servers and other systems usually can't keep up with logging each individual request when an actual attack is in progress. Typically these devices begin falling over under the sheer load of logging each and every request, and their failures cause chain reactions with linked devices and systems, making the attack much more severe than just a lot of traffic. (That is much of the secret to DDoS attacks in the first place: Causing enough load that other systems than the one you are initially targeting begin failing.)
These chain reactions are often difficult to predict and recover from. Consider the botched recovery job Amazon suffered with its Elastic Compute Cloud service after the power outages in the Washington, D.C. area in early 2012. While not an attack, once servers in the datacenter began recovering after utility power was restored, the large number of reboot requests created its own little denial of service and prevented many virtual instances from powering back up until the load lightened. The moral of this story: Don't hesitate to dump your logs quickly once you know you're under attack and they're not giving you any more useful information.
4. Have a good response plan ready
If you experience a DDoS attack, you likely won't have a chance to develop a response plan at the time of impact. Your services will be degraded, if not disabled completely, and your highest priority will be restoring service and stopping the attack. These actions are aided by a detailed plan of mitigation developed in advance of an event.
Blogger Lenny Zelster has created a good-looking template for an incident response plan. His DDoS Cheat Sheet includes steps such as preparing contact lists and procedures in advance, analyzing the incident as it happens and spinning up your response processes, perform mitigation steps you've outlined for your action team and, finally, performing a thorough post-mortem to document lessons learned and amend the response plan with that experience for future incidents.
One takeaway here: Everyone works better during a crisis when there is a predefined procedure, with checklists and next actions already clearly laid out. Don't deprive your incident response team of this wisdom. This is something you can do today at no cost. Get a team together, talk about your response and write the plan down. Be prepared.
DDoS attacks, cyber-intrusion events and other nefarious acts are simply a fact of life in an Internet-connected world. The key responsibility you have as a CIO is to make sure you have prepared for attacks, have a plan to mitigate them when they occur and have done your best to make your company able to withstand the attacks. The prospect of facing an attack with anything less should be a scary thought that kicks you into gear.