Distributed Denial of Service (DDoS) attacks have gained celebrity status during COVID-19. In the first quarter of 2020, DDoS attacks in the U.S. rose more than 278% compared to Q1 2019 and more than 542% compared to Q4 2019, according to Nexusguard’s 2020 Threat Report. This increase in attacks is correlated with the increased dependency on remote internet access and online services as many organizations’ workforces continue to work from home amid COVID-19 concerns. With the dependency on remote internet access comes an increased need for Internet Service Providers (ISPs) to monitor and mitigate irregular activity on their networks before it results in server outages or loss of critical resources, data, or money. But ISPs aren’t the only ones that need to be proactive as DDoS attacks continue to rise – their customers will face the same problems if proactive security measures are not in place.
Learning from others: Amazon Web Services (AWS) successfully thwarted the largest DDoS attack ever recorded on its infrastructure, internet infrastructure firms Akamai and Cloudflare fended off record-breaking DDoS attacks in June, and online gaming platforms are being targeted as attackers figure out how to further monetize DDoS attacks (see: GGPoker). These recent attacks underscore how similar vulnerabilities and weaknesses can easily propagate across many organizations since there’s a tendency of reusing similar technologies to support business functions, such as widespread use of open source code or network hardware. Additionally, it’s also common that simple misconfigurations issues can result in breaches that have significant business impact.
It’s important to understand that there are two common forms of DDoS attacks:
- Application layer attacks where attackers try to overload a server by sending an overwhelming number of requests that end up overtaking much of the processing power.
- Network layer attacks where attackers try to overwhelm network bandwidth and deny service to legitimate network traffic.
The ultimate goal of both techniques is to overwhelm a particular business, service, web app, mobile app, etc. and keep them from being accessible to legitimate access requests from the intended users/customers. This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic.
Many web application firewall vendors have DDoS mitigation solutions available for customers to buy, but that shouldn’t be the only step that organizations should rely on. Defense in depth, or an approach to cyber security in which defensive tactics are layered to ensure back up measures in the case that another security control fails, is key for all security concepts. Here are five techniques organizations can layer on to stop DDoS attacks:
- Penetration Testing – Although it’s difficult to properly simulate full-scale DDoS attacks during a penetration test, it’s important to do regular third-party testing that simulates real-world attacks against your infrastructure and applications. A proactive penetration testing approach will allow organizations to be prepared for when the time comes that they’re actually under attack. Tip: Implement Penetration Testing as a Service (PTaaS) to enable continuous, always-on vulnerability testing.
- Vulnerability Management and Patching – Ensure that all your systems have been properly updated to the latest version and any relevant security and/or performance patches have been applied. A proper patching and vulnerability management process will ensure this is happening within a reasonable timeframe and within acceptable risk thresholds for the business.
- Incident Response Planning – Build a team whose focus is on responding in an expedited fashion with the appropriate response. This team’s focus needs to be on ensuring they can minimize the impact of the attack and ensure they can trigger the appropriate processes to ensure that communications with customers and internal teams are happening effectively. More on incident response planning here.
- Traffic Anomaly Monitoring – Make sure there’s proper monitoring taking place across all network traffic to set off alerts if any abnormal behavior is detected from suspicious sources, especially if they are from geographies that don’t make normal business sense.
- Threat Intelligence and Social Media – Keep an eye on threat intel feeds and social media for any relevant information that may help predict attacks before they happen, allowing organizations to plan accordingly.
DDoS is just one of many cyberattack methods that have increased due to COVID-19 remote working dependency. As networks continue to expand, we are opening new entry points to attackers to secure footholds and cause critical damage – pointing to the need for continuous evaluation of security strategies.
My overarching advice? Go beyond the baseline security measures, such as a firewall, and implement a proactive security strategy to identify and remediate vulnerabilities, monitor network activity, plan for a breach as they become more inevitable, and connect with the security community to stay on top of the latest threat intel.