The current landscape of means, motives, and opportunities to execute distributed denial of service (DDoS) attacks makes any organization a more likely target than you might imagine.
Open-source attack tools are easy to find. Acquiring the capacity to execute a DDoS attack is almost a trivial concern for state-sponsored actors or criminals, who can lease an attack botnet or build their own through a malware distribution campaign. And it isn't hard to recruit volunteers to coordinate attacks designed to protest pending legislation or social injustice. More recently, we've seen the emergence of DDoS as a service.
Every organization today is a potential target, and it is essential for both technology and business leaders to consider how they would deal with a DDoS attack. Here are four key steps.
You may conclude that a nation-state could not benefit from disrupting your online operations, but could a crime gang decide that your company is a candidate for extortion? Do your products or services make you a potential target for hate or protest groups? Has your business attracted sufficient recent attention to make you a target for groups seeking notoriety?
If the answer is yes, you will need to assess the likelihood of your organization becoming a DDoS target. Guides like this Forrester whitepaper (commissioned by VeriSign) can help you calculate the probability of an attack, service disruption losses, and the costs of shoring your defenses and responding to an attack.
Develop an action plan
Once you have assessed the risks, consider gathering IT and other personnel to plan how to monitor, respond to, recover from, and make public disclosures about a DDoS attack. If you engage in social media, include parties responsible for your messaging. They are best positioned to monitor public opinion. They can help you distinguish between a DDoS attack and a traffic spike resulting from successful or opportune messaging. They are also the logical candidates to prepare (with legal counsel) and deliver any statements you may issue after an attack.
As you formulate an action plan, consider the forms of monitoring that will help you adopt an early response. Consider, too, how you will restore service or data. Determine what aspects of the plan you will take on yourself and what aspects will require aid from external parties.
The IETF paper RFC 4732 is a good place to start familiarizing yourself with DDoS techniques and mitigation approaches. SSAC advisories and global DDoS threat discussion threads are also valuable resources.
Talk to outside experts
If you've identified external parties to assist in your response and mitigation efforts, let them know in advance what you'd like them to do if you come under attack. Discuss what intelligence you will share, what you would like them to share, how you will exchange or transfer sensitive information, and what their assistance will cost. Discuss how and when you would contact law enforcement agencies, the press, or customers and what your disclosure process will entail. Exchange emergency and business contact information.
Hope for the best, plan for the worst
DDoS attacks have achieved sustained rates of 65 Gbit/s (Note: Prolexic more recently claims defeating attacks of 167 Gbit/s) so even the best preparations may not prevent a disruption of service. But preparing your defense strategy in advance will shorten your response time during the attack. After the attack, these preparations will help you collect information for a postmortem, so your team (and external parties) can learn from the event and adjust your response.
DDoS mitigation is challenging. There's no shame in outsourcing. If you invest the time to research DDoS defense only to conclude it's more than your organization can handle, the time you've invested is still worthwhile. It will help you make an informed, calm choice from among the available DDoS mitigation services.This article was originally posted at The Transformed Data Center 18 March 2013. This version has minor updates.