Introduction
Since the early days
of the internet, DDoS had been a favorite weapon of cyber-criminals. Recently
there was news about the biggest DDoS attack in history targeted towards
Spamhaus, an anti-spam group. The attacks reportedly peaked at 300 Gb/s
(gigabits per second) which is way over what had been seen earlier. Modern DDoS
attacks are getting obscenely large for even big organizations to handle
effectively.
What is DDoS?
DoS or Denial of
Service is an attempt to make a machine or network resource unavailable to its
intended users. When such a DoS is carried out by a large number of attack
sources, it is called DDoS or Distributed Denial of Service.
Basic types are:
· Consumption of computational resources
· Disruption of configuration information
· Disruption of state information
· Disruption of physical network
· Disruption of the communication media between
the victim and its intended users.
How can I prevent DDoS?
While it would be
incorrect to say that DDoS attacks can be prevented, the impact can be
mitigated and even thwarted if your IT infrastructure is sufficiently hardened,
distributed and secured. We have listed some of the preventive steps below:
· Use rate-limiting in firewalls, routers, load
balancers and other network perimeter devices.
· Enable TCP SYN cookie protection.
· Test your applications and deployment
architecture for DoS vulnerabilities and fix them.
· Conduct regular configuration audits of your
perimeter devices.
· Use updated software/firmware
· Use updated Anti-virus and regularly check
for malware, bots on your systems. (This way you are less likely to contribute
to DDoS on others).
· Use multiple ISPs or hosting providers for
redundancy.
· Maintain a backup site for quick switch over.
· Install or configure network monitoring
systems which can alert you as soon as any DDoS hits.
· Check with your ISPs or hosting providers how
they handle DDoS and be aware of financial implications in case you are hit
with a massive DDoS.
Help I am under DDoS!!! What should I do?
Dealing with a DDoS
underway is incredibly difficult. The first step should be to try to understand
the type and source of the attack. Understanding the attack type greatly helps
in effectively dealing with the attack. Some of the things that you may consider
are:
Blackholing and
sinkholing
Enable rate-limiting
in firewalls, routers, load balancers and other network perimeter devices.
Obtain a new IP
address or range from your ISP or hosting provider if the attacker is targeting
an IP address or range. If you have multiple ISPs then try switching your
primary ISP.
Switch to something
like Akamai, Cloudflare or Incapsula who have known expertise to handle DDoS.
What to do post the incident?
Conduct a root cause
analysis and ensure that no other malicious activity was done on your servers
other than DDoS.
If blackholing or
sinkholing was done, restore the same.
If the preventive
measures listed above are missing, you may consider implementing some of them
to be better prepared.
(References)
0 comments:
Post a Comment