A DDoS Learning Curve for Universities, Government & Enterprises

Distributed Denial of Service attacks are easy, cheap and too often, effective. But they’re not unstoppable.

Jason Sachowski, Director, Security Forensics & Civil Investigations, Scotiabank Group

January 12, 2016

3 Min Read
Dark Reading logo in a gray background | Dark Reading

There’s no getting around it -- DDoS attacks are growing in frequency, size, severity, sophistication, and even persistence each year. These tenacious, effective attacks can last anywhere from hours to months. They can be launched from botnets, use multiple protocols, and even disguise themselves with SSL encryption. Protecting yourself against DDoS isn’t a matter of stopping one attack but a multitude, sometimes all at once.

Even worse, IT departments may not realize an attack is underway, thinking a failing server or application is responsible.

Rutgers University, for example, recently fell prey to its sixth known DDoS attack in a single year -- and Rutgers is not an outlier. Thousands of DDoS attacks hit universities, enterprises, government organizations, and banks every day—some successful, some not. One thing is for sure: no one is safe, and attacks will continue because DDoS attacks are easy, cheap and, too often, effective. But they’re not unstoppable.

Universities and other organizations can take steps to prepare for and minimize the effect of even the most sophisticated assaults:

Step 1. Have a good monitoring system in place

Security teams have many ways to get insight into their network, including flow sampling, in-path detection and mirrored data packets. Here’s a brief breakdown of the pluses and minuses:

  • Flow sampling: The router samples packets and exports datagrams on them. While scalable, this method leaves out large quantities of information because it only samples one packet out of thousands. This allows some “slow and low” attacks to fly under the detection radar, or take a long time to trigger an alert.

  • In-path detection: A high-performance DDoS mitigation device continuously processes all incoming traffic and possibly outgoing traffic. The device can take immediate action with sub-second mitigation times. One concern is ensuring the mitigation solution can scale with the uplink capacity during multi-vector attacks.

  • Mirrored data packets: Full detail for analysis is provided, while not necessarily in the path of traffic. This method can be a challenge to set up, but allows for fast detection of anomalies in traffic and is a centralized place for analysis and mitigation.

Step 2. Keep an eye on performance metrics and scalability

When it comes to DDoS, everything happens on a large scale: the number of attacking computers, the bandwidth they consume and the connections they generate. To fight back, organizations need a combination of high-performance, purpose-built hardware that can mitigate common, yet large-scale attacks effectively, and intelligent software that can inspect traffic at the highest packet rates. For instance, an effective combination might include leveraging dedicated network traffic processors (e.g. FPGAs) to handle the common network-layer attack in combination with powerful, multi-core CPUs to mitigate more complex application-layer attacks. What’s key here is to ensure there is enough processing headroom to prepare networks for future generations of DDoS attacks.

Step 3. Invest in a security awareness program

Mitigation of next-generation DDoS attacks starts with training -- especially to recognize normal network behavior and spot anomalies. For instance, companies that have started their migration to IPv6 must have security specialists in place that know IPv6 well enough to recognize attacks when they happen, and then to know how to use available tools to properly fight them off. Proper training allows organizations to be proactive versus reactive. Security policies take time to devise, so universities and other organizations shouldn’t wait for the IT support staff to raise a red flag before they decide to take action.

For more on this topic read IPv6 and the Growing DDoS Danger

About the Author

Jason Sachowski

Director, Security Forensics & Civil Investigations, Scotiabank Group

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, software development, security architecture, project controller, vendor procurement, and budget management. He holds credentials in CISSP-ISSAP, CSSLP, CCFP, SSCP, EnCE.

When not on the job, Jason volunteers his time as a contributing author for an executive writers bureau, as a subject matter expert for professional exam development, and as a speker for CyberBullying and CyberSecurity awareness.

Jason is the author of the book titled "Implementing Digital Forensic Readiness: From Reactive To Proactive Process" available now at the Elsevier Store and other online retailers.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights