What DDoS prevention measures should you take?
According to recent reports, Cyber threats; including DDoS attacks are on the rise. Data from Bitdefender’s Mid-Year Threat Landscape Report 2020, shows a 715% increase in cyber attacks.
These attacks take many forms:
- DOS (Denial of Service) and DDoS (Distributed Denial of Service)
- Destruction of Physical Equipment
- Personal attacks such as Identity and Asset Theft
- Spoofing making out you are a legitimate user
- Phishing attacks to capture data for use in all the above
In this first blog in the Cyber Attack series, we will cover DDoS and what preventative steps your organisation may need to take.
With the COVID pandemic and an increased number of remote workers requiring teleworking and remote access, extortionists have been provided with an opportunity to target the backend of the organisation’s communication infrastructure, making them vulnerable to attack.
You may think that it will never happen to you, but the truth of the matter is that this is a global issue and if your ISP is victim to an attack, the service they provide could disappear, affecting your business’s ability to function.
In May of this year, a US fuel pipeline paid out millions in ransom to a cyber gang named DarkSide. Although this particular attack was a Ransomware attack (a topic we will cover in our next blog in the series), DarkSide threatened DDoS.
The question is, what is a DDoS attack?
And what action can you as an organisation take towards a DDoS attack prevention plan.
A Distributed denial of service attack is a subclass of denial of service (DoS) attack and sets out to achieve two things: ransom and taking the target offline
A DDoS attack is a malicious attack designed to overwhelm and disrupt the normal traffic of a targeted IP, Server or network by surrounding the infrastructure with fake traffic.
DDoS attacks are carried out through networks that consist of computers and other Internet-connected devices, infected with malware.
You’ll likely not even be aware your device or devices on your network are infected.
These infected computers and mobile devices are unsuspecting components of a ‘bot’ / ‘zombie’. A group of infected devices (bots) are referred to as a botnet.
Once a botnet is established in the infrastructure, the attacker will recruit hundreds and thousands of bots with instructions to attack and target the victims IP address with requests, overloading the server or network resulting in a Denial of Service, or a traffic jam if you will.
DDoS attack prevention
Although you can’t prevent DoS assaults, there are a few preventive measures you can consider.
The first thing to be mindful of, are initial warnings of an attack such as:
- Your site or service is slow and unresponsive
- There are suspicious spikes in traffic from an unusual IP address
- A single IP address makes x number of requests over y number of seconds
- The server responds with an HTTP Error 503
- Monitoring and recognising the above warning signs can help you prepare accordingly for a cyber attack
- Although identifying an HTTP Error 503 is a helpful sign of an attack, monitoring it is too late to take preventive measures since the server is already down. By monitoring Error 404 however, indicating there was no response between the ISP and server, it is possible to create alerts in real-time. When a 404 error meets a metric, you will be alerted to the potential incoming attack. You would need to identify a baseline metric to establish any abnormalities
- If you can determine that an IP address is likely to be the start of a DDoS attack, then you can blackhole the IP i.e., send it and all associated traffic down the rabbit hole before it disables your network security
- Turn to social platforms such as Twitter – if there is a trend in attacks, you can be sure that conversations and warnings can be found here
The principle should be to never concede to any demands.
The fundamental reason these attacks continue, is people pay the ransom, which only fuels them to continue. This needs to be an Industry-wide approach to not concede to the demands of these cyberbullies.
Instead, educate and prepare yourselves. Report all incidents to the National Cyber Security Centre (NCSC) and the authorities via Action Fraud. They take these crimes very seriously and are equipped to investigate.
Keep a log of evidence of communications.
Finally, keep your customers and partners well-informed with an Incident Report and Service Update.
Early detection is the most effective way to help mitigate an impending attack. Although there are no ‘one shoe fits all’ preventative measures, there are DDoS mitigation solutions out there that might help should you be willing to invest.
However, being aware, keeping a log analysis and monitoring the warning signs, can help you detect an attack in the future.
Check-in next week when we discuss Ransomware as the next in this Cyber Attack Blog Series.