Select Page

Distributed Denial of Service (DDoS) attacks are becoming very common these days. In the recent months, the hacktivist collective Anonymous made it as a prime method for attacking prominent websites.

Many a times the DDoS attacks acts as a curtain to the real hack attack. For example, if someone wants to have an attack on your infrastructure they kick that attack process with a DDoS attack. Obliviously, the companies with limited number of IT team (for reasons of cost cutting n stuff like that) would start responding to the DDoS attack and the full attention would go on the DDoS attack. Silently, the attackers would be using their time breaking into the network / application, which may not get noticed by the Admins as they are trying to fix the DDoS attack which was prominent and directly hitting the business. This shows the importance of managing the DDoS attacks and developing some strategies to respond to DDoS attacks.

  • The first thing the business should understand is that they are vulnerable to a DDoS attack. Any business entity with an online presence is vulnerable to a DDoS attack as the attackers are of with different interest. No one thought that the PlayStation network would be a target as it was just a gaming network, still the attackers used SQL injection techniques to get into the system. .If you know your weakness and you would be able to find a way to mitigate / reduce the risk.
  • Attackers can perform a  DDoS attack easily and occasionally with cheap investment. The Anonymous group has performed that recently in retaliation to the MegaUpload CEO arrest incident. Recently, one of the key Anonymous Twitter handle reached 1/2 million followers. For example, one just need around 5000 agents (bots) or less to keep the online banking server of a mid sized bank offline. Many such small bot networks exists in the internet. One of the key response to such botnets would be to have a scalability plan.
  • Do a DDoS risk assessment. Not all the components of your infrastructure is vulnerable to a DDoS attack. The key step is to identify the potential components of your infrastructure which vulnerable to a DDoS attack. Many a times, it would be the server or web application targeted, the internet pipe of your company, Firewall, IPS, etc.. Once during an IPS evaluation, the pre-sales consultant raised a question .Why your company requires a very high through put while the general traffic is not that high.. The difference in investment between the one proposed by the pre-sales consultant and the one we wanted was less than USD 5000.
  • Application Layer attacks are easy to perform. Many of the webservers are configured to limit the number of simultaneous connections so that the server can handle the requests effectively utilizing its resources. Apache by default limits it to 50 clients, though it can be changed. If a server is using the default configuration, any connections beyond the 50th one would not be successful. Similarly, admins set or use the specific configurations to ensure optimum performance. A DDoS attack at the application layer often exploits this.
  • Plan for large attacks, it will make it easy to handle the small ones. Many of the DDoS attacks are network focused, eating up your network bandwidth. This can be handle to some extent with the help of your Internet Service Provider. It is a key process to build relationships and if possible working agreements with the ISP(s) to support responding to DDoS attacks
  • Build an incident response plan towards DDoS attacks. Once you identify the potential bottlenecks of your network which can be prone to DDoS attack, build a plan to respond. Most of the Information Security programs have incident response plans, include DDoS response as part of the plan. Key response items would be to build resilience to your infrastructure, scalability of resources for servers and applications, coordination with ISP.s for traffic teardown etc. Though it could be once in a lifetime incident, it should be responded well as it can have severe damage on the reputation of the company.
  • Finally, deploy countermeasures. Many of the IPS devices can detect and respond to DDoS attacks. The effectiveness would depend on the type of attack. If the attacks are focused on specific server or application, it is found to be somewhat effective for smaller DDoS attacks. There are many technical solutions available, to compact specific types of DDoS attacks.

As mentioned in an earlier article (Advanced Persistent Threats), .it is about when are you going to be attacked and is not whether you will get attacked.. If you are targeted by attackers, it is time for you to work hard and plan ahead so that you can respond effectively to DDoS attacks and thereby to advanced persistent threats