Management, compliance & auditing

DDoS Security Policy Template to Prevent Massive Attacks

Dan Virgillito
October 29, 2014 by
Dan Virgillito

It sounds like the 90s sci-fi horror thriller, "Tremors".

Unfortunately, today, it could easily be a headline from the recent space of distributed-denial-of-service attacks targeted at private, education, government, and corporate networks & computer systems.

According to Symantec's recent whitepaper, titled 'The Continued Rise of DDoS Attacks', 60 percent of companies were targeted by a DDoS attack last year, and 87 percent were hit more than once.

And a survey by Neustar revealed that 91 percent of companies see DDoS attacks as the same or a bigger threat in 2014 than in the previous year. Businesses see the problem is not going away any time soon.

DDoS large-scale attack trends

Innovation in the DDoS marketplace has given rise to threats that can create greater damage at a lesser cost and with fewer resources. The following attacks have caused damage to organizations on a massive scale:

DNS (Domain Name System) amplification attacks: This is one of the popular methods used by attackers to abuse larger services like OpenDNS. Attackers utilize open Internet services like NTP servers and DNS resolvers to increase the bandwidth sent to a victim's network, which overwhelms their network. It's called amplification because the attacker only needs a normal Internet connection to deluge the victim with an overload of traffic. Spoofing the source IP of the DNS is the source of the attack, where the traffic is redirected to the victim instead of the computer that issued the request. The Spamhaus attack indicated what the consequences of such attacks could be.

NTP (Network Time Protocol) reflection based attacks: NTP-based DDOS attacks have been used earlier in the year to synchronize the time settings on PCs across the web and make fraudulent synchronization requests to NTP servers that configured them to send a flood of replies back at the victim's websites. This particular technique was used to take down servers for popular online gaming services, including League of Legends and EA.com.

SYN Flood attacks: This attack exploits a known vulnerability in the TCP connection sequence. The SYN request to initiate this connection with a host is answered by a SYN-ACK response, and then confirmed by an ACK response from the side of the requester. In case of a SYN flood, multiple SYN requests are sent from a spoofed IP address, which binds resources until new connections can't be made, leading to denial of service. The Tsunami SYN-Flood attack has been hitting data centers in recent times.

Application-layer attacks: These attacks consist of volumetric DDoS attacks that aim to overwhelm the victim's network, consuming or denying resources until the server is offline. TCP/UDP (malicious traffic) is often used to flood the victim. A sophisticated application-layer attack may target different areas of a website, and can be difficult to mitigate, as it mimics human behavior when coming into contact with the user interface.

Security policy template to prevent massive attacks

This security policy template covers implementations required to prevent and mitigate DDoS attacks on company servers, network infrastructure and data centers. The IT department in most companies would be responsible for most security implementations, but the employees can also play a significant role.

The IT department should…

Proactively monitor network traffic around the clock, and request logs and graphs for servers each day from the hosting provider. In case of an attack, the IT team should request graphs and logs for the attack IP so a company can go to its provider and identify the IP that is attacking it. SYN Flood and UDP can be faked, and therefore can't be used as evidence.

Overprovide bandwidth: It is a good idea to have more bandwidth available for services to accommodate unexpected surges in network traffic that could be a result of a media press release, or a DDoS attack. Even though overprovision won't prevent a DDoS attack, it can give an organization more time to act before resources are overwhelmed.

Defend the company's network parameter by taking the following technical measures:

  • Timeout connections that are half-open
  • Set UDP, SYN, and ICMP flood drop thresholds lower
  • Drop malformed packages
  • Add filters to the router to drop packets from attack sources
  • Set a limit on the router to prevent the web server being flooded

Discover application layer vulnerabilities: Find out how many connections the database can hold in case of an attack. The IT team should also discover opportunities to cluster websites, DNS and parameters to push malicious traffic to other sites. There is also an option to deploy on-premise devices that inspect the incoming traffic and mitigate fake traffic after identification.

Partner with the ISP: One possible option to prevent or mitigate DDoS attacks is to partner with the company's ISP, since the overload of traffic has to go over the ISP's network infrastructure. The ISP may have solutions available to shun specific IP addresses, which can reduce the impact of the attack. For example, an ISP may be able to apply Black Hole Filtering: a technique that provides the ability to stop undesirable traffic before it makes way into a protected network.

The employees should:

Use stronger passwords: Professional cyber criminals use password scanners and other techniques to search for unpatched software, or weak passwords in order to gain access to a server and breach it with malicious traffic. Employees should use stronger passwords and frequently change them in order to minimize the chances of unauthorized access.

Avoid using unsecure WiFi access points: Unsecure WiFi access points can be deployed near a company's office by hackers to take advantage of employees who may connect to these access points. Employees should strictly avoid connecting to unsecure WiFi access points available near the company office and in remote locations.

Recognize abnormalities: A successful DDoS attack defense strategy hinges upon the speed with which the affected organization can respond and implement mitigation measures. It is therefore important for the employees to take responsibility; the staff should be trained to monitor server and network activity and recognize the abnormalities that might indicate a DDoS attack. Response plans should include procedures that make it easy for the staff to communicate with the IT department at all hours.

Challenges and risks of non-compliance

Given the increasing sophistication and dynamic nature of DDoS attacks, organizations and their IT departments should continue to expand the scope of security implementations to address the evolving nature of attacks. While this would lead to high costs, non-compliance to DDoS could do a greater damage in the form of brand reputation loss, loss of customer trust, legal fines from regulatory bodies such as the FFIEC (The Federal Financial Institutions Examination Council) and corporate penalties.

The challenge of implementing DDoS security is often bigger than other security implementations because a single vulnerability can affect a company's entire network and servers because of the heavy reliance on interconnectivity and shared infrastructure.

Because hackers can perpetrate DDoS attacks through several different networks acting in concert, they can circumvent measures taken to limit the requests coming from a small number of identified machines. Implementing an adequate DDoS security template should therefore involve consideration of structural defenses in addition to the responsibilities of the IT department and the staff.

All this implies that DDoS mitigation is not just about finding a pattern and putting security mechanisms in to block and filter malicious traffic. Mitigation also requires challenge-response options, which would help corporations to differentiate between real threats and threats that arise from other, less dangerous sources of cyber crime. It also requires that all security strategies include a definitive central communication plan.

Conclusion

The landscape of DDoS based cyber crime is expected to see continued growth. With organizations becoming more dependent on online activity, protecting infrastructure (offsite and onsite) with an appropriate security policy template will remain a high priority.

Enterprises will have to follow the template in conjunction with a chain of command that allows for seamless communication in case of attack signals and clarifying details to every member of the organization beforehand. They will also need to work with their Internet service providers and cloud service providers, if any, to mitigate massive attacks that can disrupt even the largest corporate networks.

Remember, attackers only need to find a single weakness or flaw in order to inflict a lot of damage. If your organization doesn't have a DDoS security template in place, then you should at least know what's required if you suspect your business is/could be under attack. It is prudent to consider the measures to take if the need arises. Every organization conducting operations through the Internet has to include a response strategy in order to minimize the damage of a service outage.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.