Measures to counter DDoS attacks
A DDoS (distributed denial of service) is a type of attack on computer systems with the aim of making them unavailable. This can have far-reaching economic consequences for the victim. Unlike a straightforward DoS attack, in a DDoS attack the system is attacked by many distributed computers. The attack can occur at network level, application level or a combination of both. These attacks generally involve the use of botnets (a huge number of hacked systems that can be controlled remotely by the attacker) or poorly configured third-party systems (e.g. open DNS resolvers). Manipulated queries are used to make the bots send large responses to the spoofed address, i.e. the targeted system (amplification attacks). The volume of data often reaches several hundred Gbit/s. Generally, a single organisation cannot cope with volumes of this size without external assistance. Firewalls and IPS (intrusion prevention systems) that have been configured accordingly offer only limited assistance.
The motivation behind such DDoS attacks is mostly political activism, extortion or damage to competitors.
Ideally, you have already addressed the subject of DDoS and have established a certain defensive capability against DDoS attacks.
- You know your infrastructure and its weaknesses. Which services are so central that their failure could lead to far-reaching consequences for your organisation? Try to also think about basic systems without which your critical business applications would not work.
- You know the "normal status" of your network and systems and can detect anomalies, e.g. intrusion detection systems (IDS), centralised log analysis. A DDoS attack should be detected before your customers notice it.
- Monitor the availability of your customer applications, including from your customers' viewpoint, i.e. via the internet.
- Your systems are stable and robust (no unnecessary services, strict assignment of permissions, strong authentication, etc.) and have the latest patch level. SYN cookies are activated, etc.
- An upstream firewall lets only required protocols through to the system. The firewall has enough system resources to continue functioning even in the event of a DDoS attack. Great attention should be given to the connection table and good policy management so that a large number of blocking policies can also be implemented in an emergency.
- Check the possibilities offered by GeoIP blocking. If your customers are predominantly from Switzerland and neighbouring countries, you can predefine a profile that either gives priority to IP addresses from this region or blocks other IP addresses. In the event of an attack, you can activate this profile and thus very quickly increase your options for action and secure additional protection.
- A web application firewall reduces the scope of attack on web-based services.
- Systems that could potentially fall victim to a DDoS attack (e.g. websites) should be connected to a different internet uplink to that used by the organisation's other systems. In this way, the systems concerned can be placed under the protection of a DDoS mitigation provider without affecting the other systems required for day-to-day operations.
- Have alternative solutions ready, e.g. a static website containing minimum information that is on standby with a different provider and that you can activate with one simple change in the DNS.
- In general, ensure that there is a good balance in the DNS servers' TTLs so that you are able to change a domain resolution quickly enough.
- You have a strategy for coping with a DDoS attack. The persons in charge know the procedure, as well as the internal and external contacts (service provider, police stations, etc.).
- If need be, they can access internal or contractually committed external resources (particularly staff and infrastructure).
- You have both discussed and rehearsed the procedure to be followed for a DDoS attack with your internal units and external partners. Everybody knows their role and contact points.