By Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks
Distributed Denial of Service (DDoS) attacks continues to evolve at an alarming rate, causing major concern for CIOs, CSOs and CEOs across South Africa.
Not only are they getting bigger (some orchestrated attacks are topping a mammoth 800 Gbps), but they’re also getting more complicated: with multi-vector attacks simultaneously targeting different areas of the victim’s infrastructure, and IoT devices like cameras and DVRs being weaponised into devastating zombie armies of botnets.
1. Spend time researching and understanding the threats
Find out which types of attacks are most common in your industry: What are the current trends? Who else has been affected by DDoS and what were the repercussions? What were the motives behind these attacks? Inside your organisation, what information and services are of most value and could be the targets of DDoS attacks?
2. Do the basics, brilliantly
Cyber-criminals will always look for soft targets. So, before we get into the sophisticated solutions for application-layer attacks, let’s first ensure that the basic principles of good network security are in place: secure all network devices and change any default passwords, rather than using Telnet, FTP and HTTP, use SSH, SFTP and HTTPS. Address the threat of DNS reflection/amplification by disabling recursion on authoritative name servers and limiting recursion on authorised clients.
3. Choose a dedicated solution
Don’t rely on your existing cyber-security tools, which does not address the issue of network availability. From a technical standpoint, you need to protect your network resources 24/7 through a multi-layer deployment of purpose-built DDoS mitigation solutions. A Cloud-based, Intelligent DDoS Mitigation System helps to ensure you’re technically well prepared for the evolving nature of DDoS attacks.
4. Know your network
Setting triggers and alerts for suspicious activity is only possible if you have a deep understanding of the traffic absorbed by your network at different times of the day, or different times of the month. Know which are your high-priority users that direct large volumes of traffic your way, and ensure they are whitelisted and not treated suspiciously by your early-warning alert systems. This knowledge will help to set the parameters that define the early stage of an attack, helping you to respond faster, while ensuring that you do not create poor experiences for your valid network traffic.
5. Have a DDoS defence plan … which is updated a rehearsed regularly
When attacks strike, stress levels escalate, and you’ll need a firm plan to guide you through the process of blocking and neutralising DDoS attackers. Make sure your plan details ‘who’ within your company and your managed security partners is there to help, and ‘how’ you should contact them. Make sure you have a clear internal incident handling process that describes all the interactions and steps to be taken. In many cases, DDoS attacks are used as a smoke-screen for far more sinister data exfiltration attempts elsewhere on the network – your processes need to account for all possible attack types. Finally, test out your defence plan with regular simulation drills.
6. Leap into action
Your defence plan should be the blueprint for success, but when the time comes, it needs to be quickly activated. You’ll need the right teams of specialised experts, security partners and consultants, to deal with threats in real-time and squash their impact. Cutting off DDoS attacks requires decisive action and bold leadership, so make sure you have the right team for the job!
7. Automate communication with customers
Despite all your best efforts, in the case of a successful DDoS attack taking some of your digital services offline, you can proactively address customer frustration and avoid over-burdening the service desk, by readying a status page with a simple, clear, apologetic message, to confirm that systems are unavailable and that the team is working on a solution. Customers will tend to be more forgiving if an organisation has made some attempt to communicate about an issue. Through push-channels like e-mail, SMS or in-app messaging, you can notify affected users once you are back online.