Gary Newe, systems engineer, F5 Networks, recommends taking 10 decisive actions when you come under DDoS attack
The frequency and size of Distributed Denial of Service (DDoS) attacks is ever-growing and continues to be a priority issue for many businesses. With the ongoing work to shut-down or neutralise botnets, a cyber-arms race has started with hactivists and other cyber criminals constantly searching for new ways in which to amplify attacks. As a result, DDoS attacks are increasingly common.
As the lines between the professional and social use of technology continue to blur, it is vital that we start to really recognise the significance of these attacks, how likely they are and how damaging they can be.
Scary and stressful
For the first-time DDoS victim, these attacks can be scary and stressful ordeals. That’s not surprising; poor network performance and website downtime can be massively costly for businesses, both in lost sales and consumer trust. It’s not all bad news though, as there are some steps that can be taken to mitigate the impact. Here, Gary Newe, systems engineer at F5 Networks , give his recommendations on action to take, should you experience an attack:
1. Verify that there is an attack – Rule out common causes of an outage, such as DNS misconfiguration, upstream routing issues and human error.
2. Contact your team leads – Gather the operations and applications team leads need to verify which areas are being attacked and to officially confirm the attack. Make sure everyone agrees on which areas are affected.
3. Triage your applications – Make triage decisions to keep your high-value apps alive. When you’re under an intense DDoS attack and you have limited resources, focus on protecting revenue generators.
4. Protect remote users – Keep your business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Populate the list throughout the network and with service providers as needed.
5. Classify the attack – What type of attach is it: Volumetric? Slow and low? Your service provider will tell you if the attack is solely volumetric and may already have taken remediation steps.
6. Evaluate source address mitigation options – For advanced attack vectors your service provider can’t mitigate/ determine the number of sources. Block small lists of attacking IP addresses at your firewall. Block larger attacks with geolocation.
7. Mitigate application layer attacks – Identify the malicious traffic and whether it’s generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with distinct countermeasures, which may be provided by your existing solutions.
8. Leverage your security perimeter – Still experiencing issues? You could be confronting an asymmetric layer 7 DDoS flood. Focus on your application-level defences: login walls, human detection, or Real Browser Enforcement.
9. Constrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit is a last resort – it can turn away both good and bad traffic. Instead, you may want to disable or blackhole an application.
10. Manage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you’re being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.
It’s an unfortunate fact that the DDoS threat has never been greater and is likely to continue to grow. As ever, the best protection is to be prepared for whatever will get thrown at you and DDoS mitigation should be part of your preparation. It’s important to consider if your network is up to scratch to cope with unexpected loads and if it has the intelligence to identify legitimate traffic during peaks, before an attack hits.