Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM

Creating A DDoS Response Playbook

A new report details challenges posed by DDoS attacks that you might not have considered.

Short, powerful bursts -- those are the words that can best describe the way distributed denial-of-service (DDoS) attacks are hitting enterprises.

In its 2014 Mid-Year Threat Report released today, NSFOCUS found not only a marked increase in attacks targeting Internet Service Providers (ISPs), enterprises and online gaming sites, but also a continuation of the trend of shorter DDoS attacks.

"According to NSFOCUS monitoring and analysis of the latest DDoS trend, the majority of DDoS attacks continue to be short in duration with repeated frequency," says Yonggang Han, chief operating officer of global business at NSFOCUS. "This ongoing trend indicates that latency-sensitive websites, ISPs, e-commerce, online gaming, and hosting service providers should become well prepared to implement proactive security solutions that support instant response. Rapid response after the detection of an attack is key to enabling defense and mitigation."

But even if an organization has a well-crafted response plan, there could very well be a number of surprises for organizations dealing with an attack.

"DDoS attacks impact all users of the company's services, including non-technical departments," says Lisa Beegle, manager of customer security CSM at Akamai. "Communication is key. The majority of stakeholders don't understand the complexity behind DDoS mitigation or the broad range of impact that a DDoS attack can have on their organization."

According to Dan Holden, director of Arbor's Security Engineering & Response Team (ASERT), organizations should make sure that DDoS response doesn't take away from other incident response. "It should be assumed that DDoS could be a part of a larger or more focused attack."

It is also risky to assume that DDoS is only a networking or pure traffic flood-type of attack, he says. Application attacks are potentially far more dangerous and are a sign of a more focused attacker and a serious campaign.

According to the NSFOCUS report, the top three DDoS attack methods during the first six months of the year were HTTP flood, TCP flood, and DNS flood. Together, they comprised 84.6% of all attacks. DNS flood attacks remained the most popular attack technique, accounting for 42% of all attacks. TCP flood attacks grew substantially, however, while the number of DNS and HTTP flood attacks decreased.

More than 90% of the attacks detected by NSFOCUS lasted less than 30 minutes. DDoS traffic volume increased overall during the period, with a third of attacks peaking at 500 Mbit/s and more than 5% reaching volumes of four Gbit/s. In addition, the report found that more than 50% of DDoS attacks were above 0.2 million packets per second (Mpps), and better than 2% of DDoS attacks were launched at a rate of more than 3.2 Mpps.

While shorter attacks are the norm, there are longer attacks, as well. The single longest attack lasted nine days and 11 hours, while the single largest attack in terms of packet-per-second hit at a volume of 23 million pps. Almost 43% of victims were attacked more than once, and one in every 40 victims was hit more than 10 times.

"Insufficient network and security architecture to ensure availability is [a] priority," says Holden. "Many times, perceived security solutions can only add to the possibility of availability failure. We also see victims of DDOS attacks struggle with understanding when to use on-premise vs. cloud-based mitigation services. This is going to be unique to each network. It requires an understanding of what is normal traffic, how much abnormal traffic can be tolerated, and how much time internal security personnel can spend working on an incident."

The keys to defending against any DDoS attack are the speed with which enterprises can identify and detect the attack and how fast they can begin mitigation of the attack, Han says.

"That is to say, it's always better to have a DDoS attack mitigation and incident response plan," he says. "Pre-planning and testing are critical to map out and refine processes and responsibilities. The quicker the attack can be identified and defenses can come to bear, the better off enterprises are in a DDoS attack -- accurate and fast detection is the first layer of defense."

Beegle advised organizations to identify who will communicate information back to the lines of business during a DDoS attack, so that IT does not get deluged with calls from line-of-business users and others asking what is occurring.

"As you create your playbook, don't forget to identify who the application owners are within each line of business," she says. "Then, build an internal talk track so they can ask the right questions during mitigation. Talk to them to get an understanding of the types of questions and issues they would potentially have during a DDoS event."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
9/24/2014 | 1:35:14 PM
Preventative tools to protect against future attacks
It's not secret that DDoS is still such a hot topic when it comes to protecting critical services, no matter which industry you are in.  Sadly, these attacks are more focused on sites that provide streaming content as outlined in the article, and so when they happen, they can cause significant chaos.  Many ISPs offer DDoS protection as a service, which is a great option for organizations who need a bit of help being proactive to mitigate these attacks when they happen.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.