Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM

Creating A DDoS Response Playbook

A new report details challenges posed by DDoS attacks that you might not have considered.

Short, powerful bursts -- those are the words that can best describe the way distributed denial-of-service (DDoS) attacks are hitting enterprises.

In its 2014 Mid-Year Threat Report released today, NSFOCUS found not only a marked increase in attacks targeting Internet Service Providers (ISPs), enterprises and online gaming sites, but also a continuation of the trend of shorter DDoS attacks.

"According to NSFOCUS monitoring and analysis of the latest DDoS trend, the majority of DDoS attacks continue to be short in duration with repeated frequency," says Yonggang Han, chief operating officer of global business at NSFOCUS. "This ongoing trend indicates that latency-sensitive websites, ISPs, e-commerce, online gaming, and hosting service providers should become well prepared to implement proactive security solutions that support instant response. Rapid response after the detection of an attack is key to enabling defense and mitigation."

But even if an organization has a well-crafted response plan, there could very well be a number of surprises for organizations dealing with an attack.

"DDoS attacks impact all users of the company's services, including non-technical departments," says Lisa Beegle, manager of customer security CSM at Akamai. "Communication is key. The majority of stakeholders don't understand the complexity behind DDoS mitigation or the broad range of impact that a DDoS attack can have on their organization."

According to Dan Holden, director of Arbor's Security Engineering & Response Team (ASERT), organizations should make sure that DDoS response doesn't take away from other incident response. "It should be assumed that DDoS could be a part of a larger or more focused attack."

It is also risky to assume that DDoS is only a networking or pure traffic flood-type of attack, he says. Application attacks are potentially far more dangerous and are a sign of a more focused attacker and a serious campaign.

According to the NSFOCUS report, the top three DDoS attack methods during the first six months of the year were HTTP flood, TCP flood, and DNS flood. Together, they comprised 84.6% of all attacks. DNS flood attacks remained the most popular attack technique, accounting for 42% of all attacks. TCP flood attacks grew substantially, however, while the number of DNS and HTTP flood attacks decreased.

More than 90% of the attacks detected by NSFOCUS lasted less than 30 minutes. DDoS traffic volume increased overall during the period, with a third of attacks peaking at 500 Mbit/s and more than 5% reaching volumes of four Gbit/s. In addition, the report found that more than 50% of DDoS attacks were above 0.2 million packets per second (Mpps), and better than 2% of DDoS attacks were launched at a rate of more than 3.2 Mpps.

While shorter attacks are the norm, there are longer attacks, as well. The single longest attack lasted nine days and 11 hours, while the single largest attack in terms of packet-per-second hit at a volume of 23 million pps. Almost 43% of victims were attacked more than once, and one in every 40 victims was hit more than 10 times.

"Insufficient network and security architecture to ensure availability is [a] priority," says Holden. "Many times, perceived security solutions can only add to the possibility of availability failure. We also see victims of DDOS attacks struggle with understanding when to use on-premise vs. cloud-based mitigation services. This is going to be unique to each network. It requires an understanding of what is normal traffic, how much abnormal traffic can be tolerated, and how much time internal security personnel can spend working on an incident."

The keys to defending against any DDoS attack are the speed with which enterprises can identify and detect the attack and how fast they can begin mitigation of the attack, Han says.

"That is to say, it's always better to have a DDoS attack mitigation and incident response plan," he says. "Pre-planning and testing are critical to map out and refine processes and responsibilities. The quicker the attack can be identified and defenses can come to bear, the better off enterprises are in a DDoS attack -- accurate and fast detection is the first layer of defense."

Beegle advised organizations to identify who will communicate information back to the lines of business during a DDoS attack, so that IT does not get deluged with calls from line-of-business users and others asking what is occurring.

"As you create your playbook, don't forget to identify who the application owners are within each line of business," she says. "Then, build an internal talk track so they can ask the right questions during mitigation. Talk to them to get an understanding of the types of questions and issues they would potentially have during a DDoS event."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Moderator
9/24/2014 | 1:35:14 PM
Preventative tools to protect against future attacks
It's not secret that DDoS is still such a hot topic when it comes to protecting critical services, no matter which industry you are in.  Sadly, these attacks are more focused on sites that provide streaming content as outlined in the article, and so when they happen, they can cause significant chaos.  Many ISPs offer DDoS protection as a service, which is a great option for organizations who need a bit of help being proactive to mitigate these attacks when they happen.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A read of uninitialized memory was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying th...
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
PUBLISHED: 2021-05-13
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another serv...
PUBLISHED: 2021-05-13
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.