Which parts of the corporate network can become a bottleneck or weak link in a DDoS attack? A survey by Radware of 135 people with information security expertise--including IT managers as well as CIOs and CISOs--found that the bottlenecks they'd experienced included the server under attack (for 30%), their Internet pipe (27%), a firewall (24%), an intrusion prevention or detection system (8%), a SQL server (5%), or a load balancer (4%). For example, Sergey Shekyan, a Web application vulnerability scanner developer at Qualys, reported that he was able to DDoS a Squid proxy server using the free slowhttptest tool with slow read DDoS attack support. That's because while the server was theoretically able to handle 60,000 concurrent connections per minute, it had been misconfigured to only allow 1,024 open file descriptors at a time.
5. Watch what's happening on the network.
If prevention--including securing infrastructure and making sure it can reasonably scale to handle sharp increases in packet traffic--is the first step, the second is actively monitoring the network. "If the enterprise doesn't have visibility into their network traffic so they can exert control over the traffic, then they have a problem," said Dobbins.
6. Look beyond large attacks.
Historically, the most popular type of DDoS attack--and the one most used by Anonymous--has been a packet flood. The concept is simple: direct so many packets at a website that its servers buckle under the pressure. But not all effective DDoS attacks unload untold numbers of packets. Notably, a study by Radware of 40 DDoS attacks from 2011 found that only 9% involved more than 10 Gbps of bandwidth, while 76% involved less than 1 Gbps.
7. Beware application-layer attacks.
Attacks that eschew packet quantity for taking out a switch or application can unfortunately be quite difficult to detect. According to Radware's report, "it is much easier to detect and block a network flood attack--which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods, and TCP floods, typically spoofed--rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions."
8. Watch for blended attacks.
Detection can get even trickier when attackers start targeting more than one application at a time, perhaps together with a packet flood. "Attackers are often likely to combine both packet flooding attacks with application-layer DDoS, to increase their odds of success," according to the Radware report. "The majority of organizations, which are targeted by sub-1-Gbps attacks, are targeted with a mix of network and application flood attacks."
9. Make upstream friends.
Large attacks can overwhelm even the largest enterprise network. "Work very closely with [your] Internet service provider--or for multinationals, providers--to successfully deal with these attacks," said Arbor's Dobbins. Build relationships and lines of communication in advance. "At 4 a.m., if there is a DDoS attack, it's not the time you want to be scrambling around trying to reconfigure your infrastructure, and finding who call at your ISP," he said.
10. Consider countermeasures.
While the legality of certain types of attack countermeasures is an open question, Radware said that network gear may be able to automatically mitigate suspected DDoS attacks. For example, it can silently drop questionable packets, or send a TCP reply to the attacker that advertises "window size equals 0," which says that for the time being, no new data can be received. "Legitimate clients generally respect this and will suspend their communication for the time being," according to Radware's report. "It seems that some attackers also honor this message and suspend the attack until a new, larger window size is advertised, which of course the site being attacked has no intention of doing."
It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)