3 Ways to Defend Against Distributed Denial of Service Attacks (Industry Perspective)

The best defense against a DDoS attack is a strong offense, planned and implemented before you’re in the middle of trying to halt an attack and restore your agency’s services.

by Rodney Caudle, Director of Information Security, NIC / August 5, 2015

Government agencies may be just one disgruntled activist or unpopular legislative decision away from a cyberattack. Among the newer — and growing — methods hackers use to try to influence government are distributed denial of service (DDoS) attacks. These synchronized attacks, launched from multiple sources against a single target, differ from traditional denial of service (DoS) attacks, which originate from a single source. 

DDoS schemes are becoming a favorite of hackers because they have the potential to make an impact — and they have become easy and inexpensive to initiate. The prevalence of home and laptop computers with access to high-speed Internet connections has expanded the possible sources of DDoS attacks. For just a few dollars a month, even a novice can purchase a “DDoS-for-hire” subscription service that enables an attack with a small number of clicks and claims to virtually eliminate the chance of getting caught.

These attacks are not going away, and government agencies are increasingly becoming targets. Compared to other industries, the public sector experienced the greatest increase in DDoS attacks in the fourth quarter of 2014. Attackers will target government agencies for the purpose of stealing data or, at a minimum, damaging an agency’s reputation by shutting down its online services to prevent constituents from accessing what they need.

New DDoS Attack Styles

DDoS attacks first appeared in the late 1990s, but they were rare and largely went unnoticed until early 2000, when an attacker struck Internet portal Yahoo using a set of computers in a university computer lab. The attack took Yahoo offline for three hours.
 
Since then, DDoS attacks have morphed to become increasingly sophisticated. Three types recently have become more popular:
  • Resource consumption. The attacker ties up all of the target server’s available connections by simultaneously requesting numerous bogus connections. When the server responds to each request, the attacker withholds the final information needed to complete each connection. The server waits, the bogus connections stay open and legitimate users are shut out. 
  • Slowloris. Attackers establish valid connections, but rather than sending all the data a normal user would, they send it in bits and pieces. The targeted server, which is keeping track of all of the attacker’s connections, can’t respond to real users.
  • Bandwidth consumption. Attackers consume all the available bandwidth on the networks leading to the server by sending phony network traffic as quickly as possible toward the targeted server, taking down both the server and its surrounding networks.
Besides changing in methodology, DDoS attack volume has increased. In a typical attack, a site or service experiences loads that far exceed even their highest activity under normal daily use. The rudimentary DDoS attacks that first appeared in the early 2000s averaged about 4 GB per second. Today’s more sophisticated attacks average between 10 GB and 60 GB per second, and one DDoS launched in February peaked at just under 400 GB per second. The average DDoS attack lasts 17 hours, though some have lasted for several days.
 
They also can ramp up at breakneck speed. In as little as one minute, a DDoS strike can go from its starting point to 60 GB per second, making it almost impossible to shut down an attack between the time it begins and the time it reaches peak effectiveness.

Plan in Advance

There is rarely a way to see an attack coming. However, the best defense against a DDoS attack is a strong offense, planned and implemented before you’re in the middle of trying to halt an attack and restore your agency’s services. While that offense may represent a new cost to your agency, it is, in today’s online environment, a cost of doing business on the Internet. Elements of your offense can include:
  1. Distribute your data in multiple locations. This will reduce the potential for an attack to disable your complete suite of services and prevent you from being held hostage by your Internet service provider’s solution — which is likely to be very expensive — if you get hit with an attack. 
  2. Consider using a content delivery network (CDN) as a “front door” to your services. CDNs can mask your network connections from attackers so they’re less likely to target your agency in the first place. These services, while valuable, also can be pricey, so it’s a good idea to evaluate the benefits against the cost before deciding to go this route.
  3. Consider establishing a third-party relationship with an e-government services partner. Such a partner should be able to provide complete solutions that include built-in protections from DDoS attacks. The e-government services partner can distribute the services through different data centers, reducing the exposure to and impact from DDoS attacks, while your agency retains control of the mission objectives that the partner is delivering on your behalf. 
DDoS attacks are expensive problems, but expert partners can help you plan proactively to reduce your upfront risk and develop a mitigation plan so you can respond quickly within moments of impact.
 
Rodney Caudle is director of information security at NIC Inc., the nation’s largest e-government services provider. He has more than 20 years of experience in information security. He can be reached at rodney.caudle@egov.com.