Get ready for DDoS attacks: 5 steps to take before attackers find you
The email is simple and to the point: "We are the Fancy Bear, and we have chosen your company as the target of our next DDoS attack."
Within a day, a company server — not protected by defenses against distributed denial-of-service (DDoS) attacks — comes under a 30-minute, intense attack combining a flood of packets with network requests designed to slow application performance to a crawl.
Is your company prepared to face this kind of security challenge?
A real threat
This isn’t a theoretical scenario. Back in November 2019, New Zealand's Computer Emergency Readiness Team (CERT NZ) sent out an alert to the nation's financial sector, warning that attackers were e-mailing ransom demands followed by short attacks against victims' servers. Companies that refused to pay the ransom did not see massive follow-on attacks, according to CERT NZ — but they could have.
Unsurprisingly, we regularly receive requests from our customers for guidance about how their companies should prepare for DDoS attacks. Massive data floods using Layer 3 and 4 attacks or amplification are generally intercepted at the edge of the network by our PoPs. However, Layer 7 attacks targeting applications and issuing requests that can swamp origin systems often seek to blend into other network traffic and require a more focused defense.
Here are five best practices you can implement to help prepare for such attacks:
1. Have a plan, test your plan, update your plan
Companies need to have a plan in place before an attack happens. We recommend:
Knowing which servers and applications could be impacted by an attack,
Estimating damages from the loss of access to those assets,
Knowing who is responsible for managing each asset,
Understanding what an attack against a particular asset might look like, and
Creating a playbook to mitigate an attack.
Your company should not only plan for an attack but should also conduct regular exercises so stakeholders know who is responsible for detecting, responding to, and mitigating an attack.
2. Establish relationships before you need them
The middle of an attack is not the time to be searching for the right contact at your cloud provider, web application firewall (WAF) provider, or DDoS mitigation firm. Establish relationships with the right people at your major services providers and include their information in your playbook.
At Fastly, that means reaching out to your account manager, firstname.lastname@example.org, or posting in your shared Slack channel with us (if applicable).
3. Make sure you are logging what you need
Logs are critical to being able to respond to DDoS attacks without shutting out legitimate customers. For that reason, you should make sure your logs contain the necessary information, like IP addresses and geolocation data, to allow your company or DDoS protection provider the ability to filter out the bad traffic.
Also, make sure your logs are accessible during an attack. Storing your log data in the cloud is reasonable but could pose a problem if a DDoS attack severs access to your cloud assets.
4. Protect your origin
A denial-of-service attack blocks customer and employee access to your online assets. When you mitigate the attack, your business returns. An attack that actually damages the origin of your data, such as breaching and erasing data, will result in significant downtime for your company. Such attacks can — and have — resulted in a company going out of business.
For that reason, companies should always protect their origin, the ground-truth server that holds the information necessary to keep the business running. Fastly, for example, allows customers to shield their origin servers from cache misses that might otherwise overwhelm their origin servers.
5. Prep defenses for instant deployment
If your environment relies on a chain of actions to go from a proposed application change to deployment, your company needs to have a system for pushing out critical changes quickly.
Whether you are modifying access control lists, blocking certain IP addresses, or rate limiting requests to a certain service, those changes need to be agile to make a difference during an attack. Fastly allows customers to issue standard VCL filters and create custom VCL protection rules to limit the impact of complex application attacks.
A distributed denial-of-service attack will eventually impact your company. Your application and security teams should spend some time now to make sure that there are processes in place to quickly remediate any vulnerabilities and mitigate an attack. Attend a live demo and see how Fastly can help.