How to mitigate damage from a distributed denial of service (DDoS) attack

Today’s Internet is a dangerous place for network providers and their web customers, as distributed denial of service (DDoS) attacks continue to increase in size and intensity. However, it’s not all doom and gloom. Businesses can take a strong, proactive defence against today’s sophisticated cyber criminals with a well-rehearsed DDoS mitigation plan, or 'playbook'.

When a DDoS attacker renders a VoIP system, website or entire network inaccessible to users, another hidden enemy may be within your own IT organisation, and its name is ‘panic’. The start of DDoS mitigation can be critically delayed by an hour or more as IT scrambles to marshal the right people and resources with the expertise to fight the attack. Loss of precious mitigation time can lead to loss of precious revenue as well - an estimated US$220,000 per hour during a Layer 7 attack according to Forrester Research.

We recommend developing a DDoS mitigation playbook, a collection of best practices that ensures not just IT, but everyone across the organisation, knows exactly what to do in case of a DDoS attack. In simple terms, this proactive plan means knowing who to call first, what internal and external technologies and resources to activate and what actions other stakeholders in the organisation should take - all with the goal of mitigating the attack quickly and successfully. Most of all, having this well rehearsed playbook in place eliminates organisation-wide panic in favour of a confident and controlled DDoS defence, because everyone’s roles are clearly defined up front.

Planning and practice make perfect

Just like a championship sports team, DDoS mitigation teams, in any IT organisation, should draw upon the expertise of their ‘coach’ or DDoS mitigation service provider to develop a playbook based on proven defensive moves. We recommend the following best practices for a proactive DDoS mitigation strategy:

• Keep everyone informed - Both IT and non-technical departments alike should be clear on what their roles are during a DDoS attack. Having a single point of contact for relaying information is essential to squelch panic and help everyone in the organisation understand what is going on. Short, confidential Twitter-like updates delivered at regular intervals are ideal for keeping everyone constantly informed.

• Find contact information fast - A simple list of names and phone numbers in your smartphone or web address book can make the difference between an entire network disabled by a DDoS attack and just a minimal disruption to service. Once you’ve identified your DDoS mitigation triage team, organise that information for fast, easy communication with key team members.

• Run the playbook - Next comes practice of those moves to ensure that they work smoothly within the organisation’s business environment. Working with the DDoS mitigation service provider, IT creates a simulated attack or 'dry run' with no changes made to the network. As a result, you will be able to see how long it takes to actually put the mitigation plan into action, as well as identify any weak areas of the plan. Any modifications to the playbook can be made at this time. Depending on the size and complexity of the organisation, this type of dress rehearsal exercise can be completed in a little over an hour.

• Know who to call first - One of the main benefits of DDoS attack simulation exercise is that IT will know the right people to call as soon as the attack is identified. Everyone on this triage team will have clearly defined roles in the mitigation process and will be able to make the required network changes, immediately, to thwart the attack. In addition to avoiding mitigation delays, IT can maintain business continuity, even when some resources are temporarily unavailable.

DDoS readiness in the real world

Because Prolexic is on the front lines of DDoS mitigation, every day, we have seen, firsthand, the value of having a mitigation playbook, as well as the adverse effects of not having one. For example, the website of a global web hosting provider was hit by a massive DDoS attack and expensive DDoS mitigation hardware could not stop it. Customer complaints flooded the call centre and online forums. Worst of all, the hosting provider’s ISP refused to bring their servers back up until a reliable DDoS mitigation solution was put into place. This hosting company did not have a mitigation playbook, so its IT staff wasted three critical - and expensive - days of downtime trying to work out who to call and what actions to take.

On the other hand, a financial services company recently suffered a large and complex DDoS attack. However, this company had developed a proactive DDoS mitigation playbook with us, which it had incorporated into its enterprise incident response plan. As a result, IT management was able to take immediate defensive action, which included communicating with various stakeholder groups and marshalling the resources of its DDoS mitigation services provider. Because everyone was on the same page, based on the rehearsed playbook, both the company and mitigation services provider worked together, seamlessly, to keep its services up and running. There was no disruption of service despite the website being targeted by a long Layer 7 (application layer) attack campaign.

Be prepared

In light of increased DDoS activity in the fourth quarter of 2011 and the early months of 2012, this well-known adage is important business advice for communication networks and any organisation, in any industry, that has a web presence. Over the past two years, financial services firms have increasingly become highly publicised targets of DDoS attackers and ‘hacktivist’ groups such as Anonymous. Our own internal security engineering and response team reported a significant 25% increase in the total number of attacks in Q1 2012, compared to the same quarter last year.

DDoS attacks are not only becoming more frequent, but also more destructive. We have seen attack signatures of Layer 7 attacks become more complex and, consequently, more dangerous to even the most well-protected networks. In addition, new stealth hacking tools are emerging, such as High Orbit Ion Cannon (HOIC), which can target hundreds of URLs simultaneously. HOIC also includes support for booster files, which are customisable scripts that randomise attack signatures and make attacks more difficult to distinguish from legitimate traffic.

In our experience, being prepared with a proven mitigation playbook, which should include knowing how to use your DDoS mitigation services provider to the best advantage, is the best defence against these increasingly malicious DDoS threats. One caveat - don’t wait until your organisation is hit with a DDoS attack to talk to your DDoS mitigation provider about developing a playbook. Even if you haven’t been attacked yet, the unfortunate reality is that every organisation with a web presence is vulnerable.

In the end, good communication and organisation are paramount to banishing the organisational panic that can delay DDoS mitigation. When IT - as well as everyone throughout the organisation - goes through a playbook simulation, they will understand exactly how a DDoS attack can affect their business and they will know exactly what to do to minimise the damage. So when an actual attack occurs, they will react with confidence, control and calm. As a result, the DDoS mitigation process can be activated more quickly for faster mitigation and less risk of costly downtime.

Neal brings 14 years of experience in networking, Internet backbone design and managed services to Prolexic. Prior to joining Prolexic in 2008, he launched his own consulting firm serving businesses and public sector teams in the UK and US and before that he served as network architect for Globix Corporation. Neal has a Bachelor of Arts Degree in Physics from Johns Hopkins University and is a Cisco Certified Internetwork Expert.