Creating A DDoS Response Playbook

A new report details challenges posed by DDoS attacks that you might not have considered.

Brian Prince, Contributing Writer, Dark Reading

September 23, 2014

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Short, powerful bursts -- those are the words that can best describe the way distributed denial-of-service (DDoS) attacks are hitting enterprises.

In its 2014 Mid-Year Threat Report released today, NSFOCUS found not only a marked increase in attacks targeting Internet Service Providers (ISPs), enterprises and online gaming sites, but also a continuation of the trend of shorter DDoS attacks.

"According to NSFOCUS monitoring and analysis of the latest DDoS trend, the majority of DDoS attacks continue to be short in duration with repeated frequency," says Yonggang Han, chief operating officer of global business at NSFOCUS. "This ongoing trend indicates that latency-sensitive websites, ISPs, e-commerce, online gaming, and hosting service providers should become well prepared to implement proactive security solutions that support instant response. Rapid response after the detection of an attack is key to enabling defense and mitigation."

But even if an organization has a well-crafted response plan, there could very well be a number of surprises for organizations dealing with an attack.

"DDoS attacks impact all users of the company's services, including non-technical departments," says Lisa Beegle, manager of customer security CSM at Akamai. "Communication is key. The majority of stakeholders don't understand the complexity behind DDoS mitigation or the broad range of impact that a DDoS attack can have on their organization."

According to Dan Holden, director of Arbor's Security Engineering & Response Team (ASERT), organizations should make sure that DDoS response doesn't take away from other incident response. "It should be assumed that DDoS could be a part of a larger or more focused attack."

It is also risky to assume that DDoS is only a networking or pure traffic flood-type of attack, he says. Application attacks are potentially far more dangerous and are a sign of a more focused attacker and a serious campaign.

According to the NSFOCUS report, the top three DDoS attack methods during the first six months of the year were HTTP flood, TCP flood, and DNS flood. Together, they comprised 84.6% of all attacks. DNS flood attacks remained the most popular attack technique, accounting for 42% of all attacks. TCP flood attacks grew substantially, however, while the number of DNS and HTTP flood attacks decreased.

More than 90% of the attacks detected by NSFOCUS lasted less than 30 minutes. DDoS traffic volume increased overall during the period, with a third of attacks peaking at 500 Mbit/s and more than 5% reaching volumes of four Gbit/s. In addition, the report found that more than 50% of DDoS attacks were above 0.2 million packets per second (Mpps), and better than 2% of DDoS attacks were launched at a rate of more than 3.2 Mpps.

While shorter attacks are the norm, there are longer attacks, as well. The single longest attack lasted nine days and 11 hours, while the single largest attack in terms of packet-per-second hit at a volume of 23 million pps. Almost 43% of victims were attacked more than once, and one in every 40 victims was hit more than 10 times.

"Insufficient network and security architecture to ensure availability is [a] priority," says Holden. "Many times, perceived security solutions can only add to the possibility of availability failure. We also see victims of DDOS attacks struggle with understanding when to use on-premise vs. cloud-based mitigation services. This is going to be unique to each network. It requires an understanding of what is normal traffic, how much abnormal traffic can be tolerated, and how much time internal security personnel can spend working on an incident."

The keys to defending against any DDoS attack are the speed with which enterprises can identify and detect the attack and how fast they can begin mitigation of the attack, Han says.

"That is to say, it's always better to have a DDoS attack mitigation and incident response plan," he says. "Pre-planning and testing are critical to map out and refine processes and responsibilities. The quicker the attack can be identified and defenses can come to bear, the better off enterprises are in a DDoS attack -- accurate and fast detection is the first layer of defense."

Beegle advised organizations to identify who will communicate information back to the lines of business during a DDoS attack, so that IT does not get deluged with calls from line-of-business users and others asking what is occurring.

"As you create your playbook, don't forget to identify who the application owners are within each line of business," she says. "Then, build an internal talk track so they can ask the right questions during mitigation. Talk to them to get an understanding of the types of questions and issues they would potentially have during a DDoS event."

About the Author

Brian Prince

Contributing Writer, Dark Reading

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a news reporter for the Asbury Park Press, and reported on everything from environmental issues to politics. He has a B.A. in journalism from American University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights