Cyber-war: Staying clear of DDoS attacks

• DDoS attacks increasing by 20%-45% annually; application-based DDoS attacks growing by triple digits
• Urgent for govts and businesses to adopt security strategy given evolving DDoS attacks

STARTING out as simple denial of service assaults launched from a single computer, DDoS (distributed denial of service) attacks have evolved − with the proliferation of botnets − into one of the biggest threats on the security landscape.
 
Verizon in its 2012 Data Breach Investigations Report called these attacks “more frightening than other threats, whether real or imagined,” security company Fortinet said in a statement.
 
Research firm Stratecast in a recent study also found that DDoS attacks are increasing by 20% to 45% annually, with application-based DDoS attacks in particular growing by triple digits. Stratecast added that attacking via DDoS is one of the most prominent tools used by the hacker community, oftentimes as part of a multi-technique attack strategy.
 
According to several local newspaper reports, cyber-attacks recently erupted between Malaysian and Filipino hackers over the intrusion and standoff between militants from the Philippines and Malaysian forces in Lahad Datu, Sabah.
 
Some claimed to have crashed a few government websites, and publicly announced their exploits over Facebook.
 
“The evolution of DDoS attacks highlights the urgency with which governments and businesses must adopt a security strategy to defend themselves. There are proactive steps organizations can take to bolster defenses and reduce the risk of attack,” said Dato’ Seri George Chang, Fortinet’s regional vice president for Hong Kong and South-East Asia.
 
He pointed out that a DDoS strategy should attempt to maintain services − especially critical services − with minimum disruption. To that end, businesses can start by assessing the network environment and devising a response plan.
 
Among other things, the plan should include backup and recovery efforts, additional surveillance, and ways to restore service as quickly and efficiently as possible.
 
“DDoS attacks − like other security threats − will only continue to grow and become more rampant in future. Researchers have found that DDoS attacks are growing not just in terms of frequency, but in terms of bandwidth and duration as well,” said Eric Chan (pic), solution consulting director who is based at Fortinet’s Fortiguard Center in Kuala Lumpur.
 
“A decade ago, for instance, 50 Gbps attacks were seen a couple of times a year. Now, such attacks can happen nearly every week.
 
“The evolving nature of DDoS technologies will require firms to make a paradigm shift that entails greater foresight and more proactive defenses,” Chan added.
 
For proactive protection, Fortinet Inc advises three key steps to follow: Implementation of a multi-layer defense strategy; protection of DNS servers and other critical infrastructure; and lastly, maintenance of visibility and control of the IT infrastructure.
 
Multi-layer defense
 
A multi-layer strategy is crucial in DDoS protection and involves dedicated on-premise solutions designed to defend and mitigate threats from all angles of the network. These tools should provide anti-spoofing, host authentication techniques, packet level and application-specific thresholds, state and protocol verification, baseline enforcement, idle discovery, blacklists/ whitelists and geolocation-based access control lists.
 
When considering dedicated DDoS solutions, organizations need to make sure those will allow them not only to detect application-layer DDoS attacks and efficiently block common, generic or custom DDoS attack techniques and patterns, but also have the ability to “learn” to recognize both acceptable and anomalous traffic behavior patterns based on traffic flow.
 
This traffic profiling is key as it helps detect and restrict threats faster while reducing the event of false positives, Fortinet said.
 
For greater operational efficiency, firms should also look at DDoS solutions that offer advanced virtualization and geo-location features.
 
With virtualization, policy administrators can establish and oversee multiple independent policy domains within a single appliance, preventing attacks delivered in one network segment from impacting other network segments.
 
Geolocation technologies, on the other hand, let firms block malicious traffic coming from unknown or suspicious foreign sources. This reduces load and energy consumption on the backend servers by eliminating traffic from regions outside the organization’s geographic footprint and market.
 
Safeguarding DNS servers
 
As part of an overall defensive strategy, organizations must protect their critical assets and infrastructure.

Many firms maintain their own DNS servers for Web availability, which are often the first systems to be targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organization’s Web operations, creating a denial of service situation.
 
DNS protection solutions available on the market today can protect against transaction ID, UDP source port and case randomization mechanism intrusions, the company said.
 
Maintaining infrastructure visibility and control
 
Organizations need a way to maintain vigilance and monitor their systems before, during and after an attack, Fortinet said.
 
It’s no secret that having a holistic picture into the IT environment allows administrators to detect aberrations in network traffic and detect attacks quickly, while giving them the intelligence and analytical capabilities to implement appropriate mitigation and prevention techniques.
 
The best defences will incorporate continuous and automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic be detected.
 
It’s important to have granular visibility and control across the network. This visibility into network behavior helps administrators get to the root of the attack’s cause and block flood traffic while allowing legitimate traffic to pass freely.
 
It also hands administrators the ability to conduct real-time and historic attack analysis for in-depth forensics. In addition, advanced source tracking features can help defensive efforts by pinpointing the address of a non-spoofed attack, and can even contact the offender’s domain administrator.
 
Turning attention back to the business
 
Fortinet urged organizations in Malaysia to beef up their response plans and assess their network infrastructure vis-à-vis DDoS threats today. This should include shoring up defenses for critical servers and prioritizing data, implement management and monitoring capabilities to give them a comprehensive understanding of their whole network.
 
Finally, IT administrators should be ready to implement fail-safe measures that quickly identify the source of the threat, minimize the impact of the attack, and restore service as soon as possible, the company said.
 
Related Stories:
 
Cyber-war: Time for our agencies to step up
 
Malaysia-Philippines cyber-war claims sites on both sides
 
Kaspersky identifies MiniDuke, malware that spies on govts and others
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.