Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/23/2014
05:10 PM
50%
50%

Creating A DDoS Response Playbook

A new report details challenges posed by DDoS attacks that you might not have considered.

Short, powerful bursts -- those are the words that can best describe the way distributed denial-of-service (DDoS) attacks are hitting enterprises.

In its 2014 Mid-Year Threat Report released today, NSFOCUS found not only a marked increase in attacks targeting Internet Service Providers (ISPs), enterprises and online gaming sites, but also a continuation of the trend of shorter DDoS attacks.

"According to NSFOCUS monitoring and analysis of the latest DDoS trend, the majority of DDoS attacks continue to be short in duration with repeated frequency," says Yonggang Han, chief operating officer of global business at NSFOCUS. "This ongoing trend indicates that latency-sensitive websites, ISPs, e-commerce, online gaming, and hosting service providers should become well prepared to implement proactive security solutions that support instant response. Rapid response after the detection of an attack is key to enabling defense and mitigation."

But even if an organization has a well-crafted response plan, there could very well be a number of surprises for organizations dealing with an attack.

"DDoS attacks impact all users of the company's services, including non-technical departments," says Lisa Beegle, manager of customer security CSM at Akamai. "Communication is key. The majority of stakeholders don't understand the complexity behind DDoS mitigation or the broad range of impact that a DDoS attack can have on their organization."

According to Dan Holden, director of Arbor's Security Engineering & Response Team (ASERT), organizations should make sure that DDoS response doesn't take away from other incident response. "It should be assumed that DDoS could be a part of a larger or more focused attack."

It is also risky to assume that DDoS is only a networking or pure traffic flood-type of attack, he says. Application attacks are potentially far more dangerous and are a sign of a more focused attacker and a serious campaign.

According to the NSFOCUS report, the top three DDoS attack methods during the first six months of the year were HTTP flood, TCP flood, and DNS flood. Together, they comprised 84.6% of all attacks. DNS flood attacks remained the most popular attack technique, accounting for 42% of all attacks. TCP flood attacks grew substantially, however, while the number of DNS and HTTP flood attacks decreased.

More than 90% of the attacks detected by NSFOCUS lasted less than 30 minutes. DDoS traffic volume increased overall during the period, with a third of attacks peaking at 500 Mbit/s and more than 5% reaching volumes of four Gbit/s. In addition, the report found that more than 50% of DDoS attacks were above 0.2 million packets per second (Mpps), and better than 2% of DDoS attacks were launched at a rate of more than 3.2 Mpps.

While shorter attacks are the norm, there are longer attacks, as well. The single longest attack lasted nine days and 11 hours, while the single largest attack in terms of packet-per-second hit at a volume of 23 million pps. Almost 43% of victims were attacked more than once, and one in every 40 victims was hit more than 10 times.

"Insufficient network and security architecture to ensure availability is [a] priority," says Holden. "Many times, perceived security solutions can only add to the possibility of availability failure. We also see victims of DDOS attacks struggle with understanding when to use on-premise vs. cloud-based mitigation services. This is going to be unique to each network. It requires an understanding of what is normal traffic, how much abnormal traffic can be tolerated, and how much time internal security personnel can spend working on an incident."

The keys to defending against any DDoS attack are the speed with which enterprises can identify and detect the attack and how fast they can begin mitigation of the attack, Han says.

"That is to say, it's always better to have a DDoS attack mitigation and incident response plan," he says. "Pre-planning and testing are critical to map out and refine processes and responsibilities. The quicker the attack can be identified and defenses can come to bear, the better off enterprises are in a DDoS attack -- accurate and fast detection is the first layer of defense."

Beegle advised organizations to identify who will communicate information back to the lines of business during a DDoS attack, so that IT does not get deluged with calls from line-of-business users and others asking what is occurring.

"As you create your playbook, don't forget to identify who the application owners are within each line of business," she says. "Then, build an internal talk track so they can ask the right questions during mitigation. Talk to them to get an understanding of the types of questions and issues they would potentially have during a DDoS event."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/24/2014 | 1:35:14 PM
Preventative tools to protect against future attacks
It's not secret that DDoS is still such a hot topic when it comes to protecting critical services, no matter which industry you are in.  Sadly, these attacks are more focused on sites that provide streaming content as outlined in the article, and so when they happen, they can cause significant chaos.  Many ISPs offer DDoS protection as a service, which is a great option for organizations who need a bit of help being proactive to mitigate these attacks when they happen.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...