When it comes to these recent waves of DDoS attacks, being able to detect the techniques employed in the attack and speedily respond to threats means the difference between keeping services running and having them shut down.
"These recent DDoS attacks are evolving so very rapidly, every time a new attack arrives theyre switching to a different strategy," says Lynn Price, IBM security strategist for the financial sector. In essence, the attackers' strategy is to increase their capacity, use advanced infrastructure and application targeting tools, and automate attacks.
"They're getting much more sophisticated in their capability and what aspects of the IT stack they're hitting," she says.
In this environment, silence among the good guys is an extreme liability. So despite CSOs' extreme reluctance to talk about this issue, we managed to get some information through background discussions and interviews with security specialists who help companies combat DDoS attacks. Using that insight, we've assembled some action items for companies that aren't used to facing down DDoS attacks.
1. Be ready for real-time defense adjustments
"Not only were these attacks multi-vector, but the tactics changed in real time," says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods.
"They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics," he says. "Enterprises have to be ready to be as quick and flexible as their adversaries."
2. Don't rely only on perimeter defenses
Everyone we interviewed named cases in which traditional on-premise security devices --firewalls, intrusion-prevention systems, load balancers --were unable to block the attacks.
"We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They're vulnerable. They're just as vulnerable as the servers you are trying to protect," says Sockrider. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter.
It's especially important to mitigate attacks further upstream when you're facing high-volume attacks.
"If your Internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You've already been slaughtered upstream," says Sockrider.
3. Fight application-layer attacks in-line
Attacks on specific applications are generally stealthy, much lower volume and more targeted.
"They're designed to fly under the radar. So you need the protection on-premise or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks," says Sockrider.
The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries.
"They're working among each other and with their telecommunication providers. And they're working directly with their service providers. They have to. They can't just work and succeed in isolation," says Price.