Distributed denial of service attacks can come from anywhere. A skilled cyber criminal can quickly take over IP addresses from the around the world and overwhelm your server and shut you out of accessing important hardware and attributes within your business network. Once attacked by a DDoS, it becomes difficult to remove the threat as the source computer can continually bring in new IP addresses to send the barrage of faulty commands to your system. As the best defensive mechanism is prevention, here are several of the best ways you can protect your business from possible DDoS attacks.
What is a DDoS Attack?
For an in-depth look at what a DDoS attack is, where it originates and how it attacks your server, please see the previous post on the topic. The abridged version though is a skilled cyber criminal takes command of varying IP addresses, often from around the world. Each IP address then sends faulty commands to equipment within your business server. The overwhelming number of commands completely blocks out your ability to send instructions to the equipment, preventing you from using the hardware. A DDoS attack varies from a DoS attack in that a DoS attack is a singular, straight on approach where a single IP address sends the faulty commands where as the distributed denial of service comes from the assortment of IP addresses.
Creating an Initial Defense
Many of the steps you'll take to defend against a DDoS attack can be used to defend against other external threats, which is helpful in improving the productivity of your company's IT cyber security department. The first step you need to take in regards to the a DDoS though is setting up traffic thresholds. Chances are, you already track the amount of traffic your website receives on a daily basis. Your IT department can do this down to traffic by the minute. By doing this, you'll have a good understand as to normal traffic and what far exceeds common traffic. When keeping the numbers in mind, you can set thresholds that flag strange levels of activity. For example, if your business typically receives 10,000 visitors a day, but you receive 40,000 in one day, these numbers will raise an alert.
Your IT department needs to continually monitor potentially negative IP addresses. These IP addresses may harass your website or it might appear to poke and prod your cyber security defenses. Whenever strange activity appears via an IP address, your IT department needs to block the addresses. After placing an IP address on a blacklist, you can then monitor how the IP address responds. Typically, if the IP address is not looking for services but instead looking to attack your network, it likely will not return quickly (instead it will switch to a different IP address and perform the same actions). However, a customer that is blocked most likely will attempt to reconnect with your website. By monitoring blocked and blacklisted IP addresses, you can determine if it likely is a security risk or a potential client (Beta News, 2016).
Content Delivery Network
CDN for short, a content delivery network is able to identify faulty traffic attempting to access your network. The CDN can then detour the traffic to its own cloud system. Taking advantage of a CDN is an extremely effective measure of diverting a DDoS attack and protecting against potential downtime or serious outages within your server.
There is a big drawback with a CDN though. Realistically, using a CDN is not financially possible for small to medium companies. Even some large corporations may baulk at the possible cost. There are many variables at play to determine the cost, but a CDN can cost tens of thousands of dollars every month. If you run a large financial institution, a hospital or another massive corporation and can afford a CDN, it is highly recommended to look into what a content delivery network can do for you.
Monitor All Connected Hardware
As the Internet of Things continues to develop and bring more technology into the fold, it puts your system at greater risk. Cyber criminals no longer need to hack your network through a traditional avenue, but instead they can take back roads through a wireless connected light bulb or washing machine. With the sheer number of additional Internet devices within your network, it is essential to monitor all connected equipment. One of the best ways to avoid external threats from coming in via a smart watch or smart thermostat is to regularly change the passwords on these devices. It is a simple approach, but one of the main lines of defense when protecting your network from IoT attacks is to switch passwords (Rival Host, 2017)
The method you host your server plays a vital role in not only the quality of your own network but your ability to rebuff external attacks such as a DDoS. One available option to consider is going with secured VPS hosting. When selecting a host, never just go with the cheapest option due to the price. Cheaper in this case is not better in that it does not come with the same kind of security protocols in place, which greatly increases your chance of an attack (and not just a DDoS attack but other malware attacks). When selecting a secured VPS host, you have a unique IP address and can work in a more isolated environment, without remaining connected to other company sites. This is one of the main problems when using the cheap hosting services. Should another website or company network fall victim to a DDoS attack, your threat level skyrockets as many of your security features are in line with the attacked company, making it easier to target your business network next.
Your company may want to consider buying a dedicated server. With the dedicated host server you'll increase bandwidth levels and give yourself more control over all resources. It allows your IT cyber security department greater leeway in developing protective measures against nearly every single threat out there. A dedicated server is more challenging to hit. While not impossible to infiltrate, the dedicated sever will prove to be one of the best cyber security defensive measures your company can invest in. If you look at the potential financial hit you'd take in the event of a sustained DDoS attack, going with a dedicated server may far out weight the cost of purchasing a dedicated server.
In the Event of a DDoS Attack
The major problem with a distributed DoS attack is the continually changing IP addresses makes it next to impossible to block all of the external sources of faulty commands. Similar to classic cartoons where a character places his finger into the hole of a leaky boat, only to have a new leak emerge, this is what happens when you block an IP address during the attack. Instead, you need to identify an attack fingerprint instead of the IP address.
During an attack, clients will attempt to access your website. They also will likely blanket your email and social media accounts with posts regarding the outage. Attempting to respond to hundreds, if not thousands of messages in a short period of time simply is not possible. Instead, you need to have an automate communication set up, so in the event of a successful DDoS attack you can at least instantly inform clients and interested customers of the situation (even if you don't go into extensive detail) so they know it is not a problem on their end. Realistically, you should create a variety of automate communication pages for different issues. However you do set up the pages though it is almost always best to keep it vague and to just let the customer know the page is down and you're working hard to have it back up shortly (Beta News, 2016).
While a DDoS attack is orchestrated in a unique manor to bombard your system, the attack works due to the brute force of the commands. The overwhelming interjection of faulty commands storms your system, blocking you off from it. Due to the brute force nature, it is easier to identify the fingerprint of the attack. You can block IP addresses later, but first, capture a packet of information coming in. With the DDoS making up most of the traffic, you'll have a solid chunk of data to analyze. Within the packet you want to find some sort of pattern. As the faulty commands are bypassing your firewall and other security measures, all data packets moving through must share a similar structure, otherwise your defensive methods would filter out the commands. Once you have identified the patterns, you can instruct your router ACL, firewall and other cyber security defenses to block these patterns (IT Business Edge, 2017).
When going through the attack, you'll likely ned to contact your ISP. It is possible the company will need to perform the blocking for you, depending on how the system is set up. The company can work with you on cleaning your LAN and establishing a new IP address for your company. Many companies also provide a service it refers to as a "clean pipe," which means it will automatically block out DDoS attacks (to some extent). This usually is an added service you need to pay monthly for. If you believe your company to be a prime target for such an attack or you simply want the added protection, talk to your ISP about how the service provider can help (IT Business Edge, 2017).
Prevent Others From Being Attacked
When your business is attacked in this way, the rest of the world does not know about it. However, without informing anyone about the attack the perpetrator may be able to continually execute the attack on other companies, so you must do your part to inform and educate the proper authorities regarding the attack. Depending on your company's location, you have a regional Computer Security Incident Response Team (CSIRT). This team will take the information about your attack, create records of it and inform other agencies about the security threat. By providing the necessary information to the CSIRT< the agency has the ability to investigate the origin of the DDoS attack and do what it can to go after the cyber criminal (CERT: Software Engineering Institute, 2017)
External threats come from varying locations and in many different forms. Protecting against all takes an experienced and continually adapting IT cyber security team. In the event of a DDoS attack, specific measures must be taken in order to defend against these in-depth and calculated attacks. By following through with these defensive protocols, you'll increase the level of protection against such DDoS threats.