It’s always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a “per-warning” basis.
I really don’t understand this way of approaching security or why government agencies believe such warnings are helpful. I’m not saying we shouldn’t be warned — not at all. What I’m saying is that we shouldn’t wait for a warning before we do something about security.
On Aug. 5, for instance, the FBI and the Financial Services and Information Sharing and Analysis Center issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest:
— Implement backup and recovery plans. Really? We’re supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We’re in serious trouble if that’s the case.
— Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn’t do this? And, if there is, they deserve whatever happens to their network, I say.
— Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren’t putting much thought into DDoS defense strategy. Unfortunately, if you’re hosting a server with public access, you’ve no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company’s livelihood hinges on that server.
It’s an undeniable fact of our Internet life that these things will keep happening. No matter if it’s 9/11 or OpUSA or a private single hacker from Russia or China. They’ll continue to happen, and we all understand the need to be prepared.
DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn’t anti-malware. You can’t create a signature or heuristic against DDoS. This is sheer brute force in that you win if you’re stronger, or if you’re the more elusive, so they can’t really get you.
And that’s precisely why you need a strategy, and you need to plan it now. You can also purchase hardware — but make it part of a strategy. Don’t expect it to be the one and only thing you need to do to fend off a DDoS attack.