DDoS Attacks: Have a Plan

What Is a DDoS Attack?

Imagine a double lane road that can handle ten cards per minute. If there are more than ten cars on the road, traffic will go slower. If there are a lot more than ten cars on the road, then traffic will stop altogether and cause a traffic jam. A distributed denial-of-service (DDoS) attack is like a traffic jam.

A server, like the road in our example, can accommodate a certain amount of traffic. However, when that limit is reached the server begins to run slower. When that limit is exceeded, the server will eventually crash and it will no longer be able to process requests. System administrators plan for peaks in web traffic so that their server can handle all the requests that come to it.

How Do DDoS Attacks Work?

In a DDoS attack, an attacker will access the system through multiple computers or systems, which is why it is called a “distributed” denial-of-service attack. These groups of connected computers are called botnets.

Take our example from earlier. If you were driving on a road and you encountered a traffic jam, a police officer could help detour the traffic, and you would arrive at your destination. The police officer is able to easily address the issue because there is only one traffic jam.

But what happens if there are multiple traffic jams on every road you take? This is what attackers do in a DDoS attack. They use a botnet to distribute the attack through multiple sources, each source with its own unique IP address. This is more difficult to mitigate because the IP addresses are different from each other. DDoS attacks are simple in concept, but they are a huge threat to enterprise businesses and a headache for system administrators.

DDoS attacks have become a bigger problem in recent years because attackers are getting better at sneaking past IT defenses. They are also increasing in number. In 2014, 41% of organizations were hit by a DDoS attack, and 78 % of those attacked were targeted two or more times in that same year.

Preparing for a DDoS Attack

DDoS attacks are difficult to mitigate, but there are ways to prepare for them to minimize the damage.

  1. Contact you ISP. Ask them what they can do for you in case of an attack. Also, establish what role they will play during an attack and include that in your response plan. Your ISP may be able to block IP addresses at their level to better protect against attacks.
  2. Test your equipment. Do you know how well your equipment will actually do if you’re attacked? Don’t guess. Test it and find out for sure. If necessary, do a penetration test, and address any vulnerability you find.
  3. Know and understand what your traffic profile looks like normally. If you see spikes in your traffic and the IP addresses or IP ranges are different than what you normally see you can block them.
  4. Create a response plan. Having a response plan in place will help minimize the damage of a DDoS attack. Here are a few items to consider when making a plan:
  • Delegate responsibilities. Make sure everyone knows what to do in the event of an attack. This will help so that no time is wasted in fixing the problem.
  • Have ready ISP contacts as well as those of law enforcement, firewall, systems, and network teams.
  • Determine what customers to give priority to in case an attack happens. Talk to your ISP and arrange that a certain percentage of bandwidth will be reserved for certain IP addresses or IP ranges so your critical customers never go down (don’t forget to include your own corporate office).
  • Purchase specialized equipment to mitigate a DDoS attack. This may be a good option if you have the funds available. However, this option can be very expensive.

No matter what form of DDoS mitigation you choose, make sure you have a plan and stick to it. A strong plan will help you and your entire team know what to do when your business becomes the target of a DDoS attack.

Posted in 101, Data SecurityTagged