Risk
9/11/2013
04:30 PM
50%
50%

Federal DDoS Warnings Are Outdated

We shouldn't be relying on sporadic government warnings about potential distributed denial of service attacks. Having a comprehensive DDoS plan already in place is security 101.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
It's always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a "per-warning" basis.

I really don't understand this way of approaching security or why government agencies believe such warnings are helpful. I'm not saying we shouldn't be warned -- not at all. What I'm saying is that we shouldn't wait for a warning before we do something about security.

On Aug. 5, for instance, the FBI issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest:

-- Implement backup and recovery plans. Really? We're supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We're in serious trouble if that's the case.

[ Yes, the National Security Agency snoops on cell phones. Here's how: NSA Vs. Your Smartphone: 5 Facts. ]

-- Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn't do this? And, if there is, they deserve whatever happens to their network, I say.

-- Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren't putting much thought into DDoS defense strategy. Unfortunately, if you're hosting a server with public access, you've no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company's livelihood hinges on that server.

It's an undeniable fact of our Internet life that these things will keep happening. No matter if it's 9/11 or OpUSA or a private single hacker from Russia or China. They'll continue to happen, and we all understand the need to be prepared.

DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn't anti-malware. You can't create a signature or heuristic against DDoS. This is sheer brute force in that you win if you're stronger, or if you're the more elusive, so they can't really get you.

And that's precisely why you need a strategy, and you need to plan it now. You can also purchase hardware -- but make it part of a strategy. Don't expect it to be the one and only thing you need to do to fend off a DDoS attack.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
solardalek
50%
50%
solardalek,
User Rank: Apprentice
9/16/2013 | 2:44:10 PM
re: Federal DDoS Warnings Are Outdated
>> DDoS warnings seem to fall in the same category of the color coded
terrorist alert warnings that DHS started issuing after 9/11. Some
action seems more defensible than no action.

You sure about that? Have you noticed that we've been in "orange" forever?

Rather than wait for some slow committee-driven alert, why not look for DDoS signs from your own systems? Get something like SolarWinds "Log & Event Manager", then watch for high alert traffic volumes or specific messages about IP lockouts, ridiculous connection attempts and other signals of an attack yourself.

To misquote Donnie from "Mystery Alaska": This is log analysis, OK? It's not rocket surgery."
WKash
50%
50%
WKash,
User Rank: Apprentice
9/12/2013 | 9:16:43 PM
re: Federal DDoS Warnings Are Outdated
DDoS warnings seem to fall in the same category of the color coded terrorist alert warnings that DHS started issuing after 9/11. Some action seems more defensible than no action.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.