Are You Prepared for Your Next DDoS Attack?
A recent report from Cisco showed 51% of businesses in the U.S. suffered from a Distributed Denial of Service (DDoS) attack in 2015. Even more startling, 90% of businesses reported some level of cyber attack during the same period. These are astonishing numbers, and as a technology manager or executive, you need to be informed and prepared. After all, if you’re prepared, your better able to control the outcome.
While QMITech has been providing industry standard solutions for DDoS detection and mitigation, there are plenty of things you can do on your own to boost your readiness. With some planning, practice and collaboration, you can be prepared. Let’s take a moment and go through some ideas.
A high degree of visibility on your network is essential for solid preparation. Conventional SNMP graphing platforms can provide critical insight into volumetric attacks. You’ll be able to see in real-time as attacks happen – where it entered your network, if it is saturating specific links, and where it’s headed. The amazing part of visibility is how straightforward and easy it is to configure. All you need is a managed network (routers, switches, etc.) and an SNMP platform to audit them.
For graphing/querying, there are a lot of options currently available, including SaaS, traditional licensed software, and open-source. The most popular of the lot is Observium, which is free and does a fantastic job. Other options include Cacti, LibreNMS, and MRTG.
While SNMP is a great tool, it won’t catch everything. The inherent problem with SNMP is that the platforms can only poll devices at selected intervals. Why is this a problem? The recently published Global Network & Application Security Report found that 57% of attacks last less than an hour. Some of those attacks last only minutes. So when your SNMP platform polls at 5-minute intervals, and you are on the receiving side of a 2-minute volumetric burst attack, SNMP will fail to detect the attack. You can shorten the polling cycle, but overloading your devices with queries can cause other network issues. So what’s the solution?
If your network supports flow technology (NetFlow, sflow, ipfix, etc.), then it’s relatively straightforward to ship your data to a flow connector to give you deeper insight into your traffic. Flow traffic is decidedly different from SNMP reporting – instead of polling devices in cycles, the devices themselves send out flow data at preconfigured sample rates.
If you set your sample rate to 1 in 8,192 packets, you’re going to catch those nasty burst attacks that your SNMP layer missed. Even better, flow data includes source and destination IP’s – the evidence chain.
There are several comprehensive tools for capturing flow data on your network. Kentik provides an excellent SaaS solution, and NFDUMP/NFSen is an open source option.
Your network capacity is another thing you can control. Do you have enough capacity, for example, to effectively absorb a volumetric attack? If you are an experienced network manager, you know capacity is tricky to predict solely on user and application demand, much less factoring in network attacks. Do you buy another 10G link just to keep up? There is a point where investing in capacity simply doesn’t fit into larger business priorities and/or budgets.
The most critical question to ask yourself, of course, is how you will handle an attack once it is detected. If you have properly planned for an attack, your response is probably documented…and likely out of date with the attack’s technologies/capabilities. Using the methods above to fingerprint an attack, you can certainly attempt to block it with policy. This, unfortunately, requires an experienced human to devise an accurate assessment of the attack and implement an effective, flexible response. But what if the attack changes in shape after it encounters your block?
We routinely install, configure, and manage devices and protocols that provide best-in-breed attack detection and mitigation. We would be happy to discuss our solutions with you.
Properly preparing your organization for DDoS attacks boils down to identifying the risk points in your network, evaluating the best possible tools you can implement to defend your network, and having a vetted plan for how you will engage an attack once it is in play on your system. QMTechnologies has a depth of experience with network security and can provide options that will work for your organization 24x7x365.