By Ronald Sens, EMEA Director, A10 Networks
What makes a DDoS successful? I asked myself that question at the end of August when the central bank of Spain, Banco d’Espana, was hit by a DDoS attack that took its website temporarily offline. The bank issued a statement acknowledging the attack and stating that “no damage” had been done and its operations, as a central bank with no commercial arm, were not affected, implying that the attack was not successful. Meanwhile, the hacktivist group, Anonymous Catalonia, claimed responsibility and widely shared evidence that it had brought the bank’s web servers down worldwide.
For Anonymous Catalonia, this was a success. As part of their wider #OpCatalonia political campaign that targeted Spanish government internet properties, the attack demonstrated the group’s ability to disrupt central government banking infrastructure and highlighted existing vulnerabilities. Therefore, I’d argue that the reputation of the Banco d’Espana saw undeniably damaging effects. Once the impact of a DDoS attack becomes tangible through slow or non-responsive websites and services, it’s much more than revenues, business continuity and sensitive data that’s under threat – reputations suffer, too. That is the true measure of whether or not a DDoS attack has succeeded, or rather that our defences have failed.
DDoS attacks continue to constitute a major threat to organisations. The latest figures show that attacks are growing in frequency, peak volume and complexity. The increasing prevalence of DDoS-as-a-service means that it has never been easier for cybercriminals – whether politically or financially motivated – to orchestrate attacks. Recent reports have put the cost of purchasing a DDoS attack at as low as just ten dollars per hour. Amplifying this issue is the growing army of unsecured IoT devices that continue to swell the ranks of DDoS botnets, boosting the potential size of attacks regularly into 11GBPS+ territory.
Effectively, protecting against DDoS attacks is now part of the cost of doing business. The question is, faced with this intensive onslaught, what can organisations do to shift the balance in their favour and deflect attacks before they start to damage systems, revenues and reputations? The answer lies in preparation, escalation and scalability.
Preparation – Knowledge is Power
Threat intelligence is a critical weapon in the cybersecurity environment. The cybercriminal community is already sharing tools, tactics and procedures in a bid to breach defences, so it’s only logical that defenders should do the same, in order to provide a strategic advantage to put them a step ahead of attackers.
Take the Banco d’Espana situation as an example: Anonymous Catalonia had announced its intention to target government websites earlier in the month and, while Banco d’Espana was not on the published list, its security professionals should have been alert to the possibility of an attack.
In preparation for a potential attack they could use threat intelligence gleaned by researchers who monitor the millions of compromised IoT bots that can be brought into play in a DDoS attack. This intelligence allows defenders to blacklist servers that are known to be vulnerable to reflected amplification, block infected internet bots’ IP addresses and use large lists of millions of known IoT devices to create custom traffic allocation that blocks malicious devices while allowing trusted traffic through.
Escalation – Be Ready to Respond with Back-up if Necessary
Verisign’s recent DDoS threat report discovered that 32% of attacks were comprised of four or more attack types. Mitigating sophisticated multi-vector attacks requires a defence strategy that can cope with volumetric or network protocol and application layer incursions simultaneously. Here attackers are going after multiple potential points of vulnerability in a bid to get defenders having to keep multiple plates spinning while the damage is done.
As well as putting in heavy duty hardware to automate detection and response, you can be prepared to escalate your defences in the case of complex attacks by having a dedicated DDoS Security Incident Response Team on call. The team is comprised of experienced, certified security experts who are well-versed in defending networks against attacks. This can give you the edge in a battle situation and keep your business in operation.
Scalability – mitigating volumetric DDoS
I mentioned that DDoS protection is now an accepted cost of doing business, but of course that doesn’t mean that budgets are limitless – far from it! The most cost-effective option is to handle DDoS protection on-premises as this works well for “slow and low” attacks, but when a major volumetric attack is in progress you need a defence that is scalable and will stand up to everything that is thrown at it. This is where the cloud comes into play as part of a hybrid defence. Once attack volumes threaten to overwhelm the capacity of your internet pipe and on-premise DDoS protection, you divert traffic to the cloud where it is scrubbed, allowing only legitimate traffic through. This has economic benefits as the cloud is only used when on-premise systems cannot cope, and you are only charged for the traffic that is protected, not all of the traffic that your attackers are generating.
There’s no doubt that we will continue to experience DDoS attacks for the foreseeable future, but I hope that we’ll see fewer of them succeeding. By preparing, escalating and scaling defences we put ourselves in a stronger position to keep businesses operational no matter what is aimed at them.