These attacks disrupt a victim’s systems and make them unavailable to intended users, according to joint guidance from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The DDoS attack also has a second, less severe variation — the denial of service (DoS) attack. A DoS attack uses a few computers to launch a disruption effort, while a DDoS attack uses an entire botnet to overwhelm systems.
DDoS perpetrators often use one or more of three common approaches. One method sees perpetrators hit targets with a high volume of traffic, taking up all available bandwidth and preventing users from being served. Another method is a protocol-based attack, in which attackers exploit weak network or service protocol implementations to cause a malfunction or poor performance. Finally, some attackers target vulnerabilities in a particular application or services, either to provoke a malfunction or use up processing power.
Attackers also may use IP spoofing or other strategies to disguise the attack’s origin.
To prepare, organizations need to be able to detect when an attack is happening. That means analyzing network traffic and adopting intrusion detection systems to pick up on suspicious activity. For example, there might be a spike in requests from the same few IP addresses or a particular website may face a sudden rise in traffic.
Organizations may also suspect a DDoS attack if they find websites or services suddenly slowing or unavailable, or if their applications or servers crash for no obvious reason. A sudden, maintained rise in use of bandwidth, memory or CPU is another sign, as is trouble accessing DNS servers, firewalls or other parts of critical network infrastructure.
Several measures can reduce the likelihood of being hit. For one, organizations can assess their vulnerability to potential DDoS attacks and the amount of disruption such an attack could cause, so they can understand risks and prioritize response steps. Plus, regularly patching and updating software, network devices and operating systems, as well as following secure coding practices, can all reduce potentially exploitable vulnerabilities. Organizations also should train employees to recognize DDoS attacks.
Tools like Captchas can block automated bots from interacting with websites, and certain firewall configurations can block traffic from IP addresses known to be malicious.
Organizations also must be ready if they see something amiss and should develop response plans. Planning ahead to establish extra bandwidth capacity or to adopt services that can spread traffic among servers can help prevent systems from being overwhelmed when attackers trigger a surge. Failover mechanisms that send traffic to redundant network infrastructure can mean that even if a system does get overwhelmed, services remain online.
Entities suffering DDoS attacks should reach out to Internet service providers (ISPs), who may be able to help by redirecting traffic. Providers can also enact port and packet size filtering or block IP addresses determined to be malicious, although one caveat is that many DDoS attacks are launched from legitimate public servers.
And creating critical data backups, along with practicing recovering from them, can help organizations bounce back, the guidance said. Entities should also use attacks as an opportunity to learn. Analyzing the incident after the fact can help inform an organization on how to update security postures and incident response plans for stronger future performance. Any details collected about the attacks — such as logs, identified malicious IP addresses and timestamps — can be shared with law enforcement to help them pursue perpetrators.
The joint guidance authors urged entities to report to them about DDoS attacks, reaching CISA at report@cisa.gov or 888-282-0870, the MS-ISAC (for any government except federal) at SOC@cisecurity.org or 866-787-4722, or the FBI at a local field office.
