The end of 2016 ushered in a new era of large scale DDoS attacks. Last fall, we saw the launch of Mirai which has become the prototype for numerous attacks that have affected sites like Twitter, Netflix, Reddit, and CNN. One month later, Mirai-type DDoS attacks continued against several email providers and other targets – including Comcast.
While cyber-attacks can wreak havoc on a company, reflecting on the lessons learned from past disasters can help prevent future attacks and assist in patching existing vulnerabilities. These five best practices can assist you in enhancing your overall cyber security and help safeguard you against potential DDoS and other malicious attacks.
The Basics of a DDoS Attack
A distributed denial of service (DDoS) attack is class of cyber-attack that repeatedly strikes a server via a large group of connected devices. Sometimes DDoS can be unintentionally caused by a number of willing participants, such as people trying to purchase coveted items like concert tickets or Black Friday deals. However, DDoS attacks often consist of a malicious set of unwitting participants who've had their devices compromised by malware. This is known as a botnet. While the former is simply a growing pain that can be engineered away, the latter is a malicious attempt at industrial or state-sponsored sabotage that can be detrimental, or even fatal, to a business.
In a botnet-based DDoS attack, the network of malware infected devices (under the control of the attacker) will send simultaneous requests to a targeted server causing the resources to be overwhelmed. Any web-enabled device can be infected and added to a botnet including computers, smartphones, media players, and home appliances. While there are three types of DDoS attacks (volume-based, protocol-based, and application layer attacks) they all operate with (mostly) the same resource-draining tactics.
5-Step DDoS Protection Plan
While malicious actors are constantly looking for fresh targets to compromise, there are several steps you can take to limit your exposure to these offensives. Once an attack begins, it is too late to implement most of these tactics. However, these steps will lessen the damage an attack will cause.
1. Monitor Your Traffic
In order to understand if your site is being attacked, you need to be familiar with your typical traffic patterns. Spikes in web traffic can be part of the normal course of business. Advertising, promotions, and events can all lead to increased visitors to your site. Knowing when these events occur will give insight into the effects on your traffic. This will allow you to identify when unusual traffic is being sent to your server. DDoS attackers will usually launch small-scale incursions prior to their major offensive.
Regardless of their motives, attackers will generally target a time when they can do the most damage. Days that yield high amounts of traffic such as Thanksgiving or Christmas are ideal times for hackers to strike. Attackers can blend in with organic traffic to overload and subsequently crash your server. Having a strong understanding of your normal traffic can help you identify any unusual spikes as they are happening and alert your team to a potential attack.
Genesis Adaptive can assist you in setting up comprehensive Layer 1-7 application monitoring with added Adaptive Support or an ongoing consulting agreement for your cloud-based applications.
2. Over-Provision Network Resources
Providing your site with ample network capacity is another crucial component of your site's preparedness for potential DDoS attacks. Over-allotting bandwidth can provide your site with a small, but useful buffer in the event of an attack. Precious minutes can be gained by ensuring excess network capacity to accommodate for large traffic surges. We recommend that your network be able to accommodate 2-6 times your normal traffic.
However, no matter how well you provision your network, if your upstream providers do not have capacity, a DDoS attack can still have significant impact on your product or service. A good example of this can be seen in real world highway traffic. Even the most intricately designed system of on-ramps and traffic management will not prevent traffic jams if the primary highway is poorly built or over-capacity. Ensuring that your upstream providers also have the resources necessary to deal with large-scale DDoS attacks will ensure that your preventative measures aren't wasted in the event of a large-scale attack.
Genesis Adaptive' recent network upgrades provide approximately 40Tb/s of switching capacity. This not only ensures that core networking functionality during large surges of malicious traffic, but also ensures that other customer's issues do not translate into your problem.
3. Stay Vigilant
Years can pass with minimal security incidents for some network teams. This type of success can often breed complacency that causes companies to lapse in their security measures. This leaves them highly vulnerable to attacks. While it's easy for a team to get preoccupied with minor vulnerabilities, examining your strongest network components for weaknesses is pivotal. Failure analysis in your greatest areas of success might seem counterintuitive, however it's essential for strengthening your network and preparing for the possibility of an attack.
Genesis Adaptive has an extensive track record of mitigating network vulnerabilities and preparing companies for global exposure to IT threats. We offer multiple network diagnostic, failure analysis, and consulting options that will assist your organization in eliminating complacency and maintaining operational preparedness.
4. Leverage a Dedicated Server or Hybrid Cloud Server
Hosting your product or service on a dedicated server or hybrid cloud server is a crucial factor in protecting your product from DDoS attacks. Ensuring that your site is the only tenant on a server will allow you full access to all of the security settings and resources. Shared hosting, VPS, and semi-dedicated hosting customers have limited security options that are set by the host in order to protect the other tenants on the server. These limited security options combined with the inherent risk of sharing your server with another tenant, make your site more vulnerable to malicious traffic.
Recovering from a DDoS attack targeted at a shared server is far more involved and time consuming. Thus, the legal, technological, and reputation costs will be significantly higher for businesses that don't utilize dedicated or hybrid cloud hosting. Dedicated and hybrid cloud hosting can also be paired with 24/7 server management such as Adaptive Support which provides additional protection.
5. Install Updates as They're Available
Keeping your applications updated is a crucial component of cyber security that is often overlooked. DDoS attacks are often targeted at recently discovered security holes. Installing updates on open source platforms like WordPress, immediately after they're available, provides you with the most up to date, secure version available. Although updates are frequently ignored, opting for the most recent version allows for any previously exposed security holes to be patched and eliminated. Setting updates to automatically install will ensure you are always equipped with the most secure applications.
I'm Under Attack! Now What?
While you will not be able to completely mitigate all malicious server requests from a DDoS attack, the following are some steps you can take to help alleviate the strain that your servers will experience.
- Implement rate-limiting to and from your edge router. This will limit the damage each individual IP can do.
- If possible, utilize upstream routing protocols, such as BGP communities, to instruct your ISP(s) to block IP's before they get to your edge.
- Implement region blocking – find your largest legitimate customer bases by region, and block all other regions.
- Reduce time-out limits on open connections, both at the web server level and operating system level. Additionally, implement smart keepalive (such as NGINX) if your web server supports it.
- Deploy a proxy or a CDN to offload large, resource intensive parts of your site.
- Reduce drop thresholds on SYN, ICMP, and UDP requests within sysctl.conf, if utilizing Linux.
- Increase Max Clients (Apache) or equivalent, to handle the additional legitimate and illegitimate traffic your application or website will receive.
- Utilize a service such as CloudFlare, or another Layer 7 DoS mitigation provider. CloudFlare and other large DDoS mitigation services have the benefit of extensive experience and machine-learning at their disposal, allowing their networks to better detect malicious traffic.
These steps are time-critical. Most will require advanced preparation, as well as specific infrastructure to be in place. As such, it is advisable to have an individual responsible for constantly monitoring your server's performance and capable of recognizing the signs of an attack.
During the attack and concurrent to making these changes on your server, you should contact your hosting provider or upstream ISP's to make them aware of the situation. They will most likely already be aware of the attack, but they will be able to provide you with the next steps to take.
While the potential of a DDoS attack should be at the top of every network team's concerns, implementing these security measures will provide your website with the proper layers of protection and offer your team peace of mind.
It is imperative that your hosting provider has robust offerings and reliable support that can defend you in the event of an attack. Our certified IT professionals draw from a wide range of hosting, networking, and consulting experience. Our mission is to provide you with the best service and resources that will meet and exceed your needs. Learn more about our Managed Services, Adaptive Support, or request more information.