Get ready for DDoS attacks: 5 steps to take before attackers find you

The email is simple and to the point: "We are the Fancy Bear, and we have chosen your company as the target of our next DDoS attack."

Within a day, a company server — not protected by defenses against distributed denial-of-service (DDoS) attacks — comes under a 30-minute, intense attack combining a flood of packets with network requests designed to slow application performance to a crawl.

Is your company prepared to face this kind of security challenge?

A real threat

This isn’t a theoretical scenario. Back in November 2019, New Zealand's Computer Emergency Readiness Team (CERT NZ) sent out an alert to the nation's financial sector, warning that attackers were e-mailing ransom demands followed by short attacks against victims' servers. Companies that refused to pay the ransom did not see massive follow-on attacks, according to CERT NZ — but they could have.

Unsurprisingly, we regularly receive requests from our customers for guidance about how their companies should prepare for DDoS attacks. Massive data floods using Layer 3 and 4 attacks or amplification are generally intercepted at the edge of the network by our PoPs. However, Layer 7 attacks targeting applications and issuing requests that can swamp origin systems often seek to blend into other network traffic and require a more focused defense.

Here are five best practices you can implement to help prepare for such attacks: 

1. Have a plan, test your plan, update your plan

Companies need to have a plan in place before an attack happens. We recommend:

  • Knowing which servers and applications could be impacted by an attack,

  • Estimating damages from the loss of access to those assets,

  • Knowing who is responsible for managing each asset,

  • Understanding what an attack against a particular asset might look like, and

  • Creating a playbook to mitigate an attack.

Your company should not only plan for an attack but should also conduct regular exercises so stakeholders know who is responsible for detecting, responding to, and mitigating an attack.

2. Establish relationships before you need them

The middle of an attack is not the time to be searching for the right contact at your cloud provider, web application firewall (WAF) provider, or DDoS mitigation firm. Establish relationships with the right people at your major services providers and include their information in your playbook.

At Fastly, that means reaching out to your account manager, support@fastly.com, or posting in your shared Slack channel with us (if applicable).

3. Make sure you are logging what you need

Logs are critical to being able to respond to DDoS attacks without shutting out legitimate customers. For that reason, you should make sure your logs contain the necessary information, like IP addresses and geolocation data, to allow your company or DDoS protection provider the ability to filter out the bad traffic.

Also, make sure your logs are accessible during an attack. Storing your log data in the cloud is reasonable but could pose a problem if a DDoS attack severs access to your cloud assets.

4. Protect your origin

A denial-of-service attack blocks customer and employee access to your online assets. When you mitigate the attack, your business returns. An attack that actually damages the origin of your data, such as breaching and erasing data, will result in significant downtime for your company. Such attacks can — and have — resulted in a company going out of business.

For that reason, companies should always protect their origin, the ground-truth server that holds the information necessary to keep the business running. Fastly, for example, allows customers to shield their origin servers from cache misses that might otherwise overwhelm their origin servers.

5. Prep defenses for instant deployment

If your environment relies on a chain of actions to go from a proposed application change to deployment, your company needs to have a system for pushing out critical changes quickly.

Whether you are modifying access control lists, blocking certain IP addresses, or rate limiting requests to a certain service, those changes need to be agile to make a difference during an attack. Fastly allows customers to issue standard VCL filters and create custom VCL protection rules to limit the impact of complex application attacks.

A distributed denial-of-service attack will eventually impact your company. Your application and security teams should spend some time now to make sure that there are processes in place to quickly remediate any vulnerabilities and mitigate an attack. Attend a live demo and see how Fastly can help.

Gino Lang
Senior Director, Mission Control
Published

3 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Gino Lang
Senior Director, Mission Control

Gino Lang leads Fastly's Mission Control team, our unique version of combined NOC and SOC functionality, specifically tailored around customer activity and events. He was formerly Director of Service Delivery at EdgeCast Networks and Verizon Digital Media Services, bringing 10 years of CDN-specific experience to his 20+ years at technology companies in various roles. When he's not playing with the internet, he enjoys wrenching on classic cars and rocking tailored suits.

Ready to get started?

Get in touch or create an account.

Try Fastly freeTalk to an expert
Fastly
© Fastly 2024