How Can Government Defend Against DDoS Attacks? (Contributed)
A Distributed Denial of Service (DDoS) attack is a cyberattack from multiple, remote locations intended to cripple an organization’s online operations, and it’s one of the top four cybersecurity threats of our time.
Cyber Threats: The Fifth Dimension of WarfareFor decades now, nations have engaged in battles over five domains: Air, sea, land, space and cyberspace. One reality for governments today is that their online presence presents an attack surface that can be included in coordinated attacks from various groups, including state-sponsored actors. Many have referred to attacks on any organization’s online presence as “fifth-dimension warfare.”
One of the major fifth-dimension issues is the Distributed Denial of Service (DDoS) attack. Everyone is at risk, from financial services institutions to governments.
What Is a Distributed Denial of Service Attack?A Distributed Denial of Service (DDoS) attack is where a cyber criminal uses resources from multiple, remote locations to attack your organization’s online operations. The result is that your organization experiences a crippling interruption in one or more of its services. There are several ways to create a DDoS attack, and it constitutes one of the top four cybersecurity threats of our time.
It’s easy to confuse DDoS attacks with three other major threats, including social engineering, supply chain attacks and ransomware. For example, in 2019, the city of New Orleans was held hostage when attackers used ransomware to lock up critical servers and workstations used to provide services throughout the Crescent City. But ransomware attacks generally aren’t considered DDoS attacks.
In a DDoS attack, such as the one targeted at the Minneapolis city government in May 2020, threat actors take advantage of expected, default behavior of network devices and servers to cripple organizations. Last June, Australia experienced a larger, sustained, state-sponsored DDoS attack that left officials scratching their heads.
A DDoS attack is different than standard denial-of-service attacks. A denial-of-service attack doesn’t use multiple, randomized, distributed resources. DDoS cyber attacks are therefore more difficult to mitigate.
Though estimates vary, all authoritative research indicates that the number of DDoS attacks has increased. Cisco Networks predicts these attacks will double between 2018 and 2023. Akamai Services, a key Web and Internet services provider, has noted how they have grown more common, and more powerful.
DDoS Attack MotivesSome cyber criminals are ideologically motivated, attacking governments as part of a protest. Others use DDoS attacks as an extortion technique. Still others use them to disrupt communication in a coordinated effort to decapitate governments by limiting information and eliminating command and control. We need to carefully consider the implications of these motives.
DDoS Attack TypesTypes of DDoS attacks include:
1. Application Layer: Attacks on the actual software that provides a service, such as Apache Server, the most popular Web server.
2. Protocol: When an attack consumes the resources of critical servers and network-based devices, such as a server’s operating system or its firewalls and load balancers.
3. Volumetric: These focus on exploiting the normal operations of the Internet to create tremendous floods of network traffic that then consume the victim organization’s bandwidth. This makes an organization’s resources unavailable.
DDoS Attack Examples: from Robert Morris to Amazon Web ServicesNot all DDoS attacks are volumetric. In the vast majority of cases, a DDoS attack uses just a few dozen packets to crash an entire bank of critical, unpatched servers. The slowloris and slow-read application-layer attacks are examples of low-traffic, high-impact attacks that can crash a Web server. These continually occur.
When engaging in a DDoS attack, threat actors rarely install malware on a victim’s computer. Instead, attackers control remote applications that take advantage of a remote set of network-based resources. For example, in 2016, attackers waged a volumetric attack on Dyn, a network services and security company. Attackers used botnets, which are huge groups of compromised computers. In this case, the botnet was a group of compromised Internet of Things (IoT) devices, such as webcams and baby monitors, that inadvertently helped send floods of traffic. Similarly, Amazon Web Services (AWS) experienced a much larger attack in early 2020.
DDoS Mitigation for the Public SectorDDoS mitigation is possible, but not trivial. It involves a unified strategy and multiple tactics. In my experience, it is sometimes difficult to tell if data center and service outages are caused by DDoS traffic or simply by a spike in legitimate traffic.
The first place to start is with a written incident response plan. An effective plan is the product of cooperation between directors, department managers, policymakers and network security workers.
Second, the organization needs to actually practice its response plan. Practice will help instill the plan as part of your organization’s muscle memory. It will also help iteratively improve the plan. Actual drill-based practice is far more effective than any cocktail of services, software and hardware. It’s also cheaper.
Once you have a policy-based approach, it’s time to adopt the third step: using cloud-based services and additional hardware.
DDoS protection tools include:
• Load balancers: Either hardware or cloud-based tools that help offload traffic.
• Cloud-based scrubbers: These include installed devices and cloud-based services. They use automation to filter harmful traffic, as well as create sinkholes that funnel attack traffic away from critical resources.
Each has its own purpose, and one type is not better than the other. It all comes down to protecting your organization’s critical online resources. It also depends upon how those resources are being attacked. Monitoring and analysis will help discover specific attack methods. Patching and continual monitoring are also essential.
More Information About DDoS AttacksI contributed to CompTIA’s comprehensive DDoS attack guide. It contains detailed information about DDoS attacks and useful solutions. Using this resource, you can begin to create a policy-based strategy that will help you thrive in the fifth dimension of warfare.
As CompTIA's chief technology evangelist, Dr. James Stanger has worked with IT subject matter experts, hiring managers, CIOs and CISOs worldwide. He has a rich 25-year history in the IT space, working in roles such as security consultant, network engineer, Linux administrator, Web and database developer and certification program designer.
He has consulted with organizations including Northrop Grumman, the U.S. Department of Defense, the University of Cambridge and Amazon AWS. James is a regular contributor to technical journals, including Admin Magazine, RSA and Linux Magazine. He lives and plays near the Puget Sound in Washington in the United States.