Staying clear of attacks in the Enterprise

No photo availableByImran Chaudhrey
6 min read

Starting out as simple denial of service assaults launchedfrom a single computer, DDoS attacks have evolved− with the proliferation of…

A multi-layer defence strategy, DNS server protection and IT infrastructure
A multi-layer defence strategy, DNS server protection and IT infrastructure visibility will spare firms the pain and costs of denial of service attacks, states Imran Chaudhrey of Fortinet East Africa.

Starting out as simple denial of service assaults launchedfrom a single computer, DDoS attacks have evolved− with the proliferation of botnets − into one of the biggest threats on the security landscape. Verizon in its 2012 Data Breach Investigations Report called these attacks “more frightening than other threats, whether real or imagined.”

Research firm Stratecast in a recent study also found that DDoS attacks are increasing by 20% – 45% annually, with application-basedDDoS attacks in particular growing by triple digits. Stratecast added that attacking via DDoS is one of the most prominent tools used by the hacker community, oftentimes as part of a multi-technique attack strategy.

Most recently, researchers have found that DDoS attacks are growing not just in terms of frequency, but in terms of bandwidth and duration as well. A decade ago, for instance, 50 Gbps attacks were seen a couple of times a year. Now, such attacks can happen nearly every week.

Besides, attacks get smarter because they are now more controlled. Rather than launching a scripted flood of data, attackers start an operation and then can adapt the type of attack or the target depending on the result.

DDos attacks will continue to proliferate. As more enterprises allow mobile devices onto their network, Fortinet’s own threat research groupFortiGuard Labs has also found that mobile botnets like Zitmo have many of the same features and functionality of traditional PC botnets. FortiGuard Labs is actually predicting that in 2013, new forms of denial of service attacks, that will leverage both PC and mobile devices simultaneously, will surface.

And they come attremendous cost.In addition to lost revenue due to downtime, firms have to endure costs related to IT analysis and recovery, loss of worker output, financial penalties from broken service level agreements, and reputation damage to the brand.

The evolution of DDoS attacks highlights the urgency with which enterprises must adopt a security strategy to defend themselves,There are proactive steps organizations can take to bolster defenses and reduce the risk of attack. Instead of aiming for the complete removal of all DDoS traffic, a DDoS strategy should attempt to maintain services − especially critical services − with minimum disruption. To that end, businesses can start by assessing the network environment and devising a response plan. Among other things, the plan should include backup and recovery efforts, additional surveillance, and ways to restore service as quickly and efficiently as possible.

For proactive protection, the three key stepsto follow are the implementation of a multi-layer defence strategy, protection of DNS servers and other critical infrastructure, and maintenance of visibility and control of the IT infrastructure.

Multi-Layer Defence

A multi-layer strategy is crucial in DDoS protection and this would involve dedicated on-premise solutions designed to defend and mitigate threats from all angles of the network. These tools should provideanti-spoofing, host authentication techniques, packet level and application-specific thresholds, state and protocol verification, baseline enforcement, idle discovery, blacklists/whitelists and geolocation-based access control lists.

When considering dedicated DDoS solutions, organizations need to make sure those will allow them not only to detect application-layer DDoS attacks andefficiently block common, generic or custom DDoS attack techniques and patterns but they will have the ability to “learn” to recognize both acceptable and anomalous traffic behavior patterns based on traffic flow. This traffic profiling is key as ithelps detect and restrict threats faster while reducing the event of false positives.

For greater operational efficiency, firms should also look at DDos solutions that offer advanced virtualization and geo-location features.

With virtualization,policy administrators can establish and oversee multiple independent policy domains within a single appliance, preventing attacks delivered in one network segment from impacting other network segments. This mechanism is also effective in defence escalation − rather than relying on a single set of policies, IT administrators can define multiple sets in advance, which create the ability to apply a more stringent set of policies if the previous ones are inadequate.

Geolocation technologies, on the other hand, let firms block malicious traffic coming from unknown or suspicious foreign sources. This reduces load and energy consumption on the back-end servers by eliminating traffic from regions outside the organization’s geographic footprint and market.

Safeguarding DNS Servers

As part of an overall defensive strategy, organizations must protect their critical assets and infrastructure. Many firms maintain their own DNS servers for Web availability, which are often the first systems to be targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organization’s Web operations, creating a denial of service situation. DNS protection solutions available on the market today can protect against transaction ID, UDP source port and case randomization mechanism intrusions.

Maintaining Infrastructure Visibility and Control

Organizations need away tomaintain vigilance and monitor their systems before, during and after an attack. It’s no secret that having a holistic picture into the IT environment allows administrators to detect aberrations in network traffic and detect attacks quickly, while giving them the intelligence and analytical capabilities to implement appropriate mitigation and prevention techniques. The best defences will incorporate continuous and automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic be detected.

It’s important to have granular visibility and control across the network.This visibility into network behavior helps administrators get to the root of the attack’s cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators the ability to conduct real-time and historic attack analysis for in-depth forensics.In addition, advanced source trackingfeatures can help defensive efforts by pinpointing the address of a non-spoofed attack, and can even contact the offender’s domain administrator.

Turning Attention Back to the Business

DDoS attacks − like other security threats − will only continue to grow and become more rampant in future.The evolving nature of DDoS technologies will require firms to make a paradigm shift that entails greater foresight and more proactive defences.

Therefore, organizations need to beef up their response plans and assess their network infrastructure vis-à-vis DDoS threats today. They need to start by shoring up defences for critical servers and prioritizing data. They also need to implement management and monitoring capabilities to give them a comprehensive understanding of their whole network.Finally, IT administrators should be able to implement fail-safe measures that quickly identify the source of the threat, minimize the impact of the attack, and restore service as soon as possible.

Only with those measures will firms be able to stop worrying about crippling DDoS attacks and refocus on their business.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co