How to Identify and Prevent DDoS Attacks
Distributed Denial of Service (DDoS) attacks prevent communication to your web server or external-facing server by bogging down the bandwidth to the point that they can no longer communicate, causing your server to crash. In layman’s terms, the goal of these DDoS attacks is to make your service or site unavailable–which means your company is then losing income.
To learn more about this topic, check out our podcast: Preventing, Identifying, and Mitigating DDoS Attacks.
Because DDoS attacks can result in revenue loss, it’s important to prepare for them. The following are a few steps you can take to prevent and–if you believe you are facing a DDoS attack–identify and mitigate it.
Preventing and Identifying
Unfortunately, you may first learn you’re facing a DDoS attack when that attack causes downtime–but here are some steps you can take.
1. Make sure the thresholds on alerts are set so that you identify an attack early. You need to tune it so it isn’t so low that it interrupts business or prevents average users from visiting the website, but not too high that the website is being affected by DDoS before you know it.
2. Set up monitoring; use a SIEM like Splunk to forward logs and alert to any unwanted traffic before the DDoS reaches a critical stage. You also may want to consider using a Managed Security Services Provider (MSSP) like Hurricane Labs to help with this. You can learn more about the services we offer here.
3. Find out which pages are being attacked the most. You can do this with good logging and Splunk dashboards, or by looking at your WAF (web application firewall) alerts. Which pages are visited the most, attacked the most, and which pages do you want to focus your resources on?
4. Select your web application firewall to fit your organization’s needs. Set up the WAF to block repeated requests and find a WAF that can handle distributed attacks.
5. Use GreyNoise and other similar services to help block malicious IPs pre-emptively.
6. Join mailing lists. ISAC (Information Sharing and Analysis Center), for example, has mailing lists for different industries. People from other companies in the industry will share what they are seeing and finding and how to ID it.
7. A managed service provider like Hurricane Labs can do a majority of the work when it comes to creating, tuning, and modifying alerts as well as provide 24/7 monitoring. You may also want to check with your cloud provider to see what they offer for DDoS protection and alerting:
1. Having enough bandwidth allows you to absorb DDoS attack attempts–the average DDoS attack uses around 1 Gbps of data.
2. Distributed attacks make it harder to block because you can’t just block one IP, and it can take a long time to block every malicious IP that visits your website–not to mention the fact that IPs are constantly changing. Some DDoS attacks are new or do not match any current signatures in WAFs and other security infrastructure products. In this case, you’ll want to inspect the raw data to find a unique way to identify the DDoS attacks. For example, look for common elements to create your own alerts and signatures that will allow you to accurately distinguish the attack from legitimate traffic.
3. Attacks can be identified and blocked based on which protocol it is using. We don’t really see many volume based DDoS attacks anymore because SYN/Layer 7 attacks are less resource intensive and just as effective, especially with Layer 7. SYN Flood and Http Flood are the most common as they are protocol/Layer 7 attacks:
SYN Flood: DDoS attack using TCP handshake connections. Spoofed IPs send a SYN packet to start the connection, server responds with a SYN/ACK packet, spoofed/direct IPs never respond and sends more SYN packets. Server is stuck keeping connections open for a certain length of time. Best way to mitigate this is to increase resources to handle SYN requests or the standard alert thresholds/monitoring.
Http Flood: Layer 7 DDoS attack using http GET or POST requests at a web server or web application. Usually done via bot-nets sending hundreds of thousands of HTTP requests. POST for smaller attacks GET for botnet attacks. Best way to mitigate this is to get a WAF and standard alert thresholds/monitoring.
Having a plan in place allows you to quickly and efficiently deal with DDoS attacks, and staying current on security best practices is an important part of your security stance. To help with that, sign up for our newsletter. We’ll keep you updated on our latest content and events to help keep you informed–and secure.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.