If your business hasn’t already faced a distributed denial-of-service (DDoS) attack, brace yourself: fake traffic is coming.
Your DevOps team and IT service desk need an action plan to handle these threats. This article will take you step-by-step through the process of identifying, stopping, and responding to DDoS attacks.
Before we discuss how to stop DDoS attacks, we need to examine their nature. No matter who launches a DDoS assault, the functional objective is the same: to take down a web service so that it denies access to legitimate end users.
Hackers launch DDoS attacks for sport. Competitors do it to hurt your business. Hacktivists use them to further a cause. Extortionists even use DDoS attacks to hold web services for ransom. Whether attackers bombard your network with traffic, target a protocol, or overload application resources, the mechanics of DDoS attacks change little.
Year after year though, DDoS attacks increased in size, complexity, and frequency according to research published by Arbor Networks in July 2016. The security firm recorded an average of 124,000 DDoS events per week over the prior 18 months. At 579 Gbps, the largest known attack of 2016 was 73 percent larger than the 2015 record holder. Mind you, 1 Gbps is enough to take down most networks.
In theory, the task at hand is simple: create a system that can absorb DDoS attacks. In practice, DDoS defense is difficult because you have to distinguish between legitimate and illegitimate sources of traffic — and cybersecurity budgets don’t grow on trees.
With these considerations in mind:
- Set Traffic Thresholds
You probably track how many users visit your site per day, per hour, and per minute. Thus, you understand your average traffic levels and, hopefully, you’ve recorded how special events (sales, big news releases, etc.) affect visits.
Based on these numbers, set thresholds that automatically flag abnormal traffic for your security team. If you expect 1,000 visitors per 10 minutes, an influx of 5,000 visitors over one minute should trigger your alert.
- Blacklist and Whitelist
Control who can access your network and APIs with whitelists and blacklists. However, do notautomatically blacklist IP addresses that trigger alerts. You will see false positives, and overreacting is a sure way to infuriate good customers. Temporarily block traffic and see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses.
The best defense against DDoS attacks is a content delivery network (CDN) like Prolexic (acquired by Akamai), Incapsula, Arbor Networks, or CloudFlare. They can identify illegitimate traffic and divert it to their cloud infrastructure.
The problem is that CDNs are not cheap. A typical plan costs five figures per month. Or, if you pay per incident, you might get a six-figure bill for one attack. If you run a bank, a massive ecommerce company, or a social platform that makes thousands of dollars per second, that’s a small price to pay.
Most companies either can’t afford a CDN or don’t have a platform that warrants such high security. If, for instance, your company has an informational website where no one makes transactions or uses services, you don’t need a CDN. You’re not a prime target. An application or network firewall might be enough to prevent abnormal traffic. If a DDoS attack takes you down, it won’t harm customers or your reputation.
The cheapest way to defend against DDoS attacks is to deploy more servers when you detect suspicious activity. That is the least reliable method but still better than nothing.
Remember, there is no end to the amount of money you can throw at security. Depending on your budget and risk tolerance, choose the right option for your service desk.
- Automate Communication with Customers
When a DDoS attack succeeds, you don’t want your service desk buried in emails, phone calls, social media posts, and instant messages. Create a status page that automatically displays whether your service is up or down. Also, create DDoS communications templates that you can auto-send to end users who contact you.
These templates should cover any interruption to service, not just DDoS attacks. Keep it vague with something like: “Thank you for contacting [your company name]. Our platform is currently down. We are working as quickly as possible to restore service. We will post updates on our status page [hyperlinked] as soon as we have more information”.
- Incident Report and Root Cause Analysis
After you suffer an attack, you need to reestablish credibility. Draft an incident report explaining what happened, why, and how you responded. Then, discuss how you will prevent future attacks. If you contracted a CDN, for instance, discuss how it works and how it will deter future attacks. Open the report with simple, non-technical language. You can add a technical section for CIOs, CTOs, and others who would appreciate the details.
- Practice for Attacks
Simulate DDoS attacks to gauge how your action plan works. You could give DevOps and the service desk warning or take them by surprise to make the simulation realistic.
Companies often run simulations in a planned maintenance window to spare end users further inconvenience. If you have a CDN, you can warn the provider, or not. Obviously if you pay per incident, coordinate tests with the CDN provider.
Expect the Worst
DDoS attacks are inevitable. Although they range from acts of digital vandalism to full-blown cyberterrorism, all DDoS attacks follow the same principles. Your action plan should address all types of DDoS attacks, no matter who perpetrates them. Whatever you do though, do not sacrifice your end users to cybersecurity paranoia. Better to suffer an attack than throttle the business you sought to defend.