CISO Guide for Denial-of-Service (DoS) Security

Denial-of-Service (DoS) attacks have existed since the early days of computing and have evolved into complex and overwhelming security challenges. Organizations have had to worry not just about DoS attacks, but Distributed DoS attacks (DDoS), and more recently, Distributed Reflector DoS (DRDoS) attacks. Additionally the size, complexity, and sophistication of DDoS attacks are increasing at alarming rates.

In general distributed denial-of-service (DDoS) attacks target network infrastructures or computer services resources. The primary goal of DDoS attacks is to deny legitimate users access to a particular computer or network resources, which results in service degradation, loss of reputation, and irretrievable data loss. DDoS attacks are aimed at organizations of all sizes and types that have an online presence, including businesses, government agencies, academic institutions, and even individuals. DDoS has evolved from random hacker exploits to organized criminal activities that often involve botnets, which are large groups of compromised host computers controlled by a central commander.

Ultimate goal of security is to maintain three basic characteristics viz. Confidentiality, Integrity and Availability and Primary goal of DDoS defense is maintaining Availability of applications, services, data, and infrastructure in the face of attacks against availability i.e., DDoS attacks

Organizations must look at a security-in-depth approach in order to fully prepare for attacks.

( Read more:  Technology/Solution Guide for Single Sign-On )

 

Few pointers that the DDoS solution should incorporate:

  • Notification and alerting mechanism
  • Filtering technology that excludes only unwanted traffic
  • Scalability to handle all-size threats
  • A distributed model to create and maintain redundancy
  • Ability to stop both volumetric and application-layer DDoS attacks
  • A logging/correlation system to collect detailed attack data
  • True “distributed” DoS attack detection rather than rather than simple point-based detection.
  • Multiple methods of threat detection and mitigation that ranges from statistical anomaly detection and threshold-based flood detection to fingerprint-based detection based
  • Blocks attack traffic at the edge of the Internet by source IP and location, and controls access to content based on user and session details.
  • Should be able to easily identify legitimate search engine Web crawlers
  • Should always-On Integrated with Cloud Scrubbing
  • Should be CDN and Proxy-Aware
  • Should provide Global Threat Intelligence Feed
  • Most important 24*7*365 support

Organizations needing such solution

Distributed Denial of Service (DDoS) attacks are bringing mission-critical systems and business operations to a halt, losing revenue opportunities, decreasing productivity and damaging business reputations. Over the past few years, DDoS attacks have grown in frequency and are conducted for a specific purpose such as extortion, market manipulation and cyber terrorism.

Regulatory fines are sometimes less damaging than the repercussions of brand damage. In addition to the financial losses incurred in fines and legal costs to fight lawsuits and pay out huge settlements, companies pay again in the loss of customers and plunging market shares.

( Read more:  Action List Before Adopting a Cloud Technology )

In the recent some of DDoS attack sophistication is evidenced like

  •  Reconnaissance: Attackers probing banks and then customizing attacks to the target
  •  Multiple concurrent targets
  •  Targeting customer servers with HTTP/S, repeated GETs/POSTs against no-existent URIs
  •  More frequent attack against ISP authoritative DNS Servers
  •  Attacking directly ISP/MSSP network infrastructure
  •  Increasing bot turnover

So organizations like All Banks, Financial & Government Sectors, Ecommerce, Online Trading, Private and Public Internet Data Centers, Web/Email/DNS hosting Providers, Internet Service Providers, Managed Security Service Providers, Cloud Service Providers etc. which has an online presence and want to protect business operations and/or brand reputation need a DDoS solution.

Key drivers for adoption

DDoS is an attack on service availability. The goal of the attacker is to prevent the enterprise/data center from functioning— whether that be transacting ecommerce; delivering email, voice or DNS services; providing Web site access; or offering other business-critical services. The business impact of an attack is a function of the length of time that services are unavailable and the value of those services.

Undoubtedly, the number-one driver for the DDoS prevention market is the attacks themselves. Most major vendors operate threat labs and publish regular reports on threats, and the threat landscape is getting bigger, more complex, and scarier at an alarming rate. From the September ’12 US bank attacks to the Iranian elections, Wikileaks, and the Anonymous army attacking are few DDoS attacks that have been big news for the last two years. The rise of botnets and easy-to-use tools (like LOIC) for launching attacks means that there are more DDoS attacks pushing greater volumes of traffic, initiated by a wider variety of attackers than ever before. There is no indication that the pace of innovation in the creation of attacks and the ingenuity that drives the distribution of those threats will ever slow down, and so prevention solutions need to continue to evolve as well.

So the key drivers for adoption of DDoS Solution are maintaining Availability & Uptime, Avoiding Loss of Revenue, incurred Operational Expenses (OPEX), and Negative Publicity or Reputational damage.

( Watch more : An approach to present IT Risk as Business Risk )

Compliance, regulations and standards that make the solution mandatory

The primary effect of DDoS attacks on corporations is service disruption—business downtime leading to customer dissatisfaction and loss of credibility and possibly revenue. The service provider network can be overwhelmed, impacting the ability to deliver connectivity. Even worse, collateral damage can be inflicted on other elements of the network that were not the original target of the attack, but overwhelmed in the process of the attack.

With the growing regulations placed upon corporations, the connectivity required to access data is critical. Any compromise on the ability to exchange data could violate regulations. More regulations are appearing and they imply that corporations and service providers should proactively manage security threats.

In the absence of regulations or compliance, many companies may not choose to invest in security solutions for their valuable data; many vertical markets are affected by regulations (such as healthcare and finance), and there are other regulations that impact broader groups of organizations (PCI, SOX, or GLBA in the US). Even non-regulated industries can face compliance issues that impact security spending, as many companies are required to demonstrate a certain level of security for business licensing or insurance purposes; regardless, the threat of repercussions for not being compliant drives many organizations around the globe to invest in network security.

In India, it is mandatory for financial institutions which offer products/services via the Internet to have a demonstrable DDoS mitigation solution. RBI guideline mandates for Banks providing internet banking service to implement network/security devices for reasonable preventive/detective capability or consider incorporating DoS attack protection in their ISP selection process.  Any organization having online presence and planning to get certified on ISO 27001, 20000 etc. standards should also consider DDoS protection since BCP/DR planning is must for such standards.

Top technology trends for the DDOS domain

As we all know DDoS attacks are now part of the advanced threat landscape, with attack types varying by size, vector and desired outcome and If we are not successful at blocking these attacks, confidential information may be accessed or stolen, valuable services may not be available to employees or customers, revenue may be lost and our company’s brand & reputation may be hurt or damaged. So the recent DDoS attack trend observed is larger, more overwhelming, and smaller, yet disproportionally disruptive and more complex application-layer attacks.

Now a days Attacks are focused Multi-Stage & Multi-Vector DDoS like:

  • GET and POST app layer attacks on HTTP and HTTP/S
  • DNS query app-layer attack, mainly against ISP authoritative DNS servers
  • Floods on UDP, TCP SYN floods on TCP/53 against ISP authoritative DNS servers & target organization Web properties

Characteristics of these attack campaign results to:

  • Relatively high bps/pps/cps/tps rates per individual attack source
  • Attacks on multiple targeted organizations in same vertical
  • Real-time monitoring of effectiveness
  • Some agility in modifying attack vectors when mitigated
  • Revert to using conventional botnet for SYN-floods, etc. when main attack methodologies are successfully mitigated

-By Yadvendra Awasthi,CISO, NetMagic Solutions Pvt Ltd. 

More:  Want to share your insights? Click here to write an article at CISO Platform

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)