The Distributed Denial of Service (DDoS) attack against Spamhaus, an anti-spam group, has been dubbed the largest DDoS attack to date. According to The New York Times, the impact of the attack extends beyond Spamhaus, affecting other sites and services that rely on the same infrastructure (like Netflix).
But did you know about the DDoS attack on Wells Fargo? Key Bank? TD Bank? PNC? JPMC? Capital One? SendGrid? Free Malaysia Radio? Krebs on Security? All of these sites have recently been victims of DDoS attacks, a list that unfortunately continues to grow.
Simply put, a Denial of Service (DoS) attack overwhelms a system or application by throwing more data at the target than the target can handle. A Distributed of Denial of Service (DDoS) attack accomplishes the same result, the key difference being that a DDoS attack is launched simultaneously from multiple sources (attackers).
Although the most widely publicized DDoS attacks are launched by Internet activists/hacktivists, these types of attacks are also launched by criminal organizations in an effort to extort money from business owners, as well as by unscrupulous business owners trying to gain the upper hand on their competition. Don’t take my word for it, though. Ask your local FBI field office.
If you’re concerned that your organization may be targeted with a DDoS attack, there are steps you can take to harden your web application infrastructure against these types of attacks. An ounce of prevention now could mean the difference in your site being offline for a few minutes and your site being offline for a few days.
Take a look at this list of recommended controls designed to help you prepare for and mitigate both DoS and DDoS attacks. Where are the gaps in your infrastructure?
- Network Architecture
- Do you have redundant network devices installed?
- Do you have an Intrusion Prevention System (IPS) installed and tuned?
- Do you have a Security Information Event Management (SIEM) system installed and tuned?
- Do you have any anti-DDoS hardware installed in your network infrastructure?
- Are you running IPv6 on any Internet-facing devices without corresponding business justification?
- Network Router
- Have you enabled Reverse Path Forwarding on your router?
- Does your router filter all RFC-1918 address spaces?
- Have you configured the router to drop forged packets, per RFC-2827?
- Does your router enforce rate limiting for ICMP and SYN packets?
- Network Firewall
- Does your firewall deny all private, illegal, and routable source IP’s?
- Internet-Facing Hosts
- Have all Internet-facing hosts undergone a system hardening process, removing insecure configurations and unnecessary services?
- Are all Internet-facing hosts fully patched?
- Are all Internet-facing hosts free from known denial of service (DoS) vulnerabilities?
- Web Servers
- Apache on Linux
- Web Application
- Are third party services enabled to proactively mitigate DDoS attacks?
- Is a web application firewall installed and enabled?
- Is the application load balanced across multiple servers?
- Are the web and application servers virtualized?
- Has an application performance baseline been tested and documented, including traffic thresholds and expected source IP’s?
- Are web application vulnerability scan results free from known DoS vulnerabilities?
- Has CAPTCHA been implemented on all submittable forms?
- Security Incident Response
- Have you provided your staff with training on security log analysis and/or security incident response?
- Have you documented a DoS/DDoS Attack security incident response procedure?
- Does the security incident response procedure include ISP contact information?
- Does the security incident response procedure include instructions on how to null route attackers?
- Does the security incident response procedure include instructions on when and how to enable temporary third party DoS/DDoS mitigating controls?
- Have you implemented a list of invalid geographic source IP deny rules in the firewall?