The number of distributed denial-of-service (DDoS) attacks is growing, and it is a key cause of concern for many organisations that rely heavily on their Internet presence. A DDoS attack is a malicious attempt to make a machine (e.g. server) or network resource unavailable to its intended users by flooding it with unnecessary traffic or to cause the application or service to become unavailable by sending it specially crafted requests. For example, accessing a URL on a browser is a request sent to a web server to view its page. This web server can only process a limited number of requests at once (e.g. due to bandwidth constraints), so any DDoS attack can overload the web server with many simultaneous requests, resulting in it to be unable to process other legitimate requests.
Such an attack is usually carried out by multiple computers which have been compromised by cyber-attackers. Once interrupted, the service outage can cause organisations to potentially incur financial losses due to the lost revenues and business opportunities, bandwidth costs, and as well as a damaged reputation.
Symptoms of a DDoS Attack
News media often report DDoS attacks on financial institutions, government agencies, and major eCommerce websites. You may have heard of these reports but your organisation can also be a victim. Detecting such attacks will require dedicated network monitoring equipment, but several indicators or symptoms can also alert organisations to a DDoS attack taking place on their network resources.
Symptoms such as these may indicate a DDoS attack:
Unusually slow network performance (opening files or accessing web sites)
Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)
Disconnection of a wireless or wired internet connection
Long term denial of access to the web or any internet services
DDoS Mitigation Strategies
It is unlikely that the actual source of an attack can be easily determined, as firstly, it is not always possible to distinguish legitimate requests from denial-of-service requests, and secondly, these attacks are coming from multiple compromised PCs. Most of the time, users of these PCs are unaware that their computers have been infected by a DDoS malware, and the real perpetrator is still hiding behind the layers of compromised machines.
Organisations may rely on the easiest solution which is to purchase additional bandwidth to deal with the added traffic, but unfortunately, this may not be the most feasible approach. Other strategies such as blackholing (where all traffic, both legitimate and fake, are sent to an invalid location) may also not be feasible as the whole point of a DDoS attack is to deny service availability, and the black hole approach does that by itself.
A proper defence against a DDoS attack requires the use of a combination of infocomm security tools, as well as sound business strategy.
- Basic Security (Anti-Malware software, Firewall, and Spam Filtering)
While being a victim of a DDoS attack is not something that organisations want to find themselves in, being responsible security-wise can reduce the likelihood that a cyber-attacker can use your PCs to attack other PCs.
Install anti-malware software, and keep it updated. This will help to minimise the risk of your computer being infected by DDoS malware.
Firewalls can provide some usefulness in allowing or preventing certain protocols, ports, or IP addresses from accessing your network resources, and from sending traffic out. However, firewalls may be unable to cope with complex DDoS attacks (e.g. an attack on Port 80 where legitimate traffic is also being served, or an application-layer DDoS attack), and thus, organisations must rely on a combination of other security tools to defend themselves.
Setting up a spam filter can also help if the organisation is facing a DDoS attack (email bomb) on their mail servers.
- Switches and Routers
Most switches and some routers have rate-limiting and access control list (ACL) features to mitigate against certain DDoS attacks. Depending on how the network equipments have been set up by the organisation, it may be possible to provide some sort of remediation to the attacks. However, it may also be possible for the switches or routers to be overwhelmed under such attacks and thus crippling the network under it.
- Intrusion Prevention Systems (IPS) and DDoS Defence Systems (DDS)
IPS can be effective if the DDoS attacks have signatures associated with them. However, DDoS attacks are becoming more complex and thus difficult to separate from legitimate traffic. More specialised forms of prevention systems such as DDS is designed to detect and mitigate both network-layer DDoS attacks and more advanced application-layer attacks. However, if there is limited resource in the organisation to configure and maintain the system, an alternative is to engage DDoS mitigation service provider for clean pipe or traffic scrubbing service to protect against DDoS type attacks.
- Content Delivery Networks (CDN)
Content Delivery Networks service providers have large distributed networks of servers that can help to distribute content for organisations and it provides some degree of protection against DDoS attacks. They are able to absorb the additional bandwidth of traffic by balancing the load across its servers.
- Business Continuity and Recovery
DDoS mitigation procedures should be part of any organisation’s business continuity and recovery plan. This can help to reduce the delay in responding to a DDoS attack and to ensure that the organisation is committed to providing the necessary resources for denial-of-service protection.
Who to Contact for Help
If you have noticed symptoms of a DDoS attack on your organisation’s systems, consider contacting your internet service provider. They might be able to advice on an appropriate course of action. Similarly, SingCERT is also able to provide additional advice and assistance to organisations.