12 steps that can help agencies fight DDOS attacks
- By Shawn McCarthy
- Apr 29, 2013
Second of two parts. Part one.
Distributed denial of service attacks are on the rise, and although they often are classified as more of an annoyance than a serious threat, they nevertheless can push agency websites offline and force administrators to handle the threat. And DDOS attacks can cause real trouble when used, for example, in conjunction with emergencies, so they are something agencies need to be prepared for.
Dealing with DDOS attacks is different than dealing with other security issues. An agency can have the tightest security available but still be vulnerable to DDOS because the attack basically blocks all data traffic. Other ways must be found to deal with the threats and to mitigate potential daily risks.
Most organizations can’t easily stop a DDOS confrontation. But they can work to overcome its effects. Here are some ideas.
1. Ask Internet service providers to establish service limits related to the amount of bandwidth one customer can use. Some will balk at this, but it’s a way to notice if a compromised machine is suddenly generating more network traffic than it usually does. This may require a broad coordinated effort that sets industry best practices.
2. Making ISPs more responsible is an admirable goal, but it is very much an uphill battle. It may be time to set real rules about monitoring, with the understanding that an ISP may be unplugged from its neighbor networks if it doesn’t properly police itself. This obviously has international complications, so the discussion needs to proceed carefully.
3. Business-critical systems should be designed to incorporate redundancy and system resiliency. This can include having secondary resources that are a mirror of the main resource but are hidden and contain a different IP address.
4. Consider a certificate revocation list (CRL) to track which certificates have been revoked. Anyone presenting such a certificate is no longer trusted. An alternative is the Online Certificate Status Protocol (OCSP) used for determining the revocation status of an X.509 digital certificate. The very necessity of consulting these services as part of a connection process can be exploited for some types of DOS attacks against a public-key infrastructure. Many technical discussions are under way to address whether browsers should be changed to deal with this issue. Public-sector agencies should track these discussions to get ideas for best practices.
5. Investigate installing an Intrusion Detection Systems or possibly an Intrusion Prevention System (IPS), which also includes blocking technologies. These products have been around for years, but new flavors continue to emerge to deal with network threats. In many cases they simply capture general packets in promiscuous mode and report on discovered anomalies. An IPS can be used to deny or shuffle traffic based on what is discovered. While it still can be a challenge to deal with the sudden and extreme spike in packet traffic, these solutions can help keep a great deal of traffic from entering specific parts of the network.
6. Be aware that business continuity cannot rely on just one type of network (land line, wireless, Internet). Continuity tactics must include plans to communicate using all three.
7. Conduct drills that take digital communication totally off line. Develop a back-up communication plan? Identify other available channels and ensure that participants know how to immediately fall back to these other channels.
8. Short, low-bandwidth messages have a better chance of getting through than real-time connections. Investigate whether fallback plans can include short stand-alone messages capable of controlling specific government or technical functions. (Examples: Traffic lights responding to off or on messages, or control messages directing a hydroelectric plant to retain or release water.)
9. E-mail and text messaging are basic fallback communication modes. They are low bandwidth (as long as no additional files are attached) and most are designed to stay in queue. This means the messages are auto-delivered when a channel becomes available.
10. Blackholing is a temporary fix at best. For this response, all traffic, including legitimate business traffic, is sent into a null route. It takes the resource totally offline (which is bad news) but prevents high-volume pass-through traffic and automatic responses that can affect other resources. It’s best avoided, but it’s sometimes a necessity.
11. Have a secret shared message board that is only known to employees. This can become an online meeting point when other channels are not available.
12. Set firewalls and other filtering appliances to filter packets related to improper ports and protocols.
As stand-alone measures, none of the points above will protect an agency from a DDOS attack during an emergency situation. But in total, they can help reduce the risk, raise awareness and promote discussions on what an agency’s fallback position should be. The larger issue is pushing the responsibility upstream to regional ISPs. That’s a huge topic, but it’s one that needs to be addressed.