Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM

Creating A DDoS Response Playbook

A new report details challenges posed by DDoS attacks that you might not have considered.

Short, powerful bursts -- those are the words that can best describe the way distributed denial-of-service (DDoS) attacks are hitting enterprises.

In its 2014 Mid-Year Threat Report released today, NSFOCUS found not only a marked increase in attacks targeting Internet Service Providers (ISPs), enterprises and online gaming sites, but also a continuation of the trend of shorter DDoS attacks.

"According to NSFOCUS monitoring and analysis of the latest DDoS trend, the majority of DDoS attacks continue to be short in duration with repeated frequency," says Yonggang Han, chief operating officer of global business at NSFOCUS. "This ongoing trend indicates that latency-sensitive websites, ISPs, e-commerce, online gaming, and hosting service providers should become well prepared to implement proactive security solutions that support instant response. Rapid response after the detection of an attack is key to enabling defense and mitigation."

But even if an organization has a well-crafted response plan, there could very well be a number of surprises for organizations dealing with an attack.

"DDoS attacks impact all users of the company's services, including non-technical departments," says Lisa Beegle, manager of customer security CSM at Akamai. "Communication is key. The majority of stakeholders don't understand the complexity behind DDoS mitigation or the broad range of impact that a DDoS attack can have on their organization."

According to Dan Holden, director of Arbor's Security Engineering & Response Team (ASERT), organizations should make sure that DDoS response doesn't take away from other incident response. "It should be assumed that DDoS could be a part of a larger or more focused attack."

It is also risky to assume that DDoS is only a networking or pure traffic flood-type of attack, he says. Application attacks are potentially far more dangerous and are a sign of a more focused attacker and a serious campaign.

According to the NSFOCUS report, the top three DDoS attack methods during the first six months of the year were HTTP flood, TCP flood, and DNS flood. Together, they comprised 84.6% of all attacks. DNS flood attacks remained the most popular attack technique, accounting for 42% of all attacks. TCP flood attacks grew substantially, however, while the number of DNS and HTTP flood attacks decreased.

More than 90% of the attacks detected by NSFOCUS lasted less than 30 minutes. DDoS traffic volume increased overall during the period, with a third of attacks peaking at 500 Mbit/s and more than 5% reaching volumes of four Gbit/s. In addition, the report found that more than 50% of DDoS attacks were above 0.2 million packets per second (Mpps), and better than 2% of DDoS attacks were launched at a rate of more than 3.2 Mpps.

While shorter attacks are the norm, there are longer attacks, as well. The single longest attack lasted nine days and 11 hours, while the single largest attack in terms of packet-per-second hit at a volume of 23 million pps. Almost 43% of victims were attacked more than once, and one in every 40 victims was hit more than 10 times.

"Insufficient network and security architecture to ensure availability is [a] priority," says Holden. "Many times, perceived security solutions can only add to the possibility of availability failure. We also see victims of DDOS attacks struggle with understanding when to use on-premise vs. cloud-based mitigation services. This is going to be unique to each network. It requires an understanding of what is normal traffic, how much abnormal traffic can be tolerated, and how much time internal security personnel can spend working on an incident."

The keys to defending against any DDoS attack are the speed with which enterprises can identify and detect the attack and how fast they can begin mitigation of the attack, Han says.

"That is to say, it's always better to have a DDoS attack mitigation and incident response plan," he says. "Pre-planning and testing are critical to map out and refine processes and responsibilities. The quicker the attack can be identified and defenses can come to bear, the better off enterprises are in a DDoS attack -- accurate and fast detection is the first layer of defense."

Beegle advised organizations to identify who will communicate information back to the lines of business during a DDoS attack, so that IT does not get deluged with calls from line-of-business users and others asking what is occurring.

"As you create your playbook, don't forget to identify who the application owners are within each line of business," she says. "Then, build an internal talk track so they can ask the right questions during mitigation. Talk to them to get an understanding of the types of questions and issues they would potentially have during a DDoS event."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
9/24/2014 | 1:35:14 PM
Preventative tools to protect against future attacks
It's not secret that DDoS is still such a hot topic when it comes to protecting critical services, no matter which industry you are in.  Sadly, these attacks are more focused on sites that provide streaming content as outlined in the article, and so when they happen, they can cause significant chaos.  Many ISPs offer DDoS protection as a service, which is a great option for organizations who need a bit of help being proactive to mitigate these attacks when they happen.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.