InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Developing an effective response to distributed denial-of-service (DDoS) attacks requires taking specific steps for prevention, detection, verification, containment, eradication and recovery. This piece explains how the DDoS threat is evolving and provides
a step-by-step playbook to ensure your organization is protected against DDoS attacks.
A DDoS attack is an attempt by attackers to keep users from accessing a networked system, service, website, application or other resource by flooding the target with packets/requests and slowing down or completely halting its operation. SYN attacks remain
the most popular attack vector used by DDoS attackers, but RST, UDP and DNS amplification attacks are also common.
DDoS attacks come in three forms:
DDoS prevention starts with preparing measures to ensure effective and efficient response to incidents. To recap the recommendations outlined in IANS’ DDoS Protection Checklist, ensure you:
In addition to the aforementioned DDoS prevention steps, create an incident response plan that:
During the planning phase, you should also make sure you understand where single-points-of-failure are located and how you could mitigate threats to them. For high-impact assets, consider employing multiple ISPs.
A DDoS attack is a complex challenge for a business to face, because often, it’s difficult to determine whether a spike in traffic is legitimate or an attack, especially if the proper tools aren’t in place.
Detection can be automatic or manual. Manual detection usually occurs when people or customers complain about slow performance or inability to access resources, but there are also network monitoring tools from Cisco and SolarWinds that can automatically
detect and alert that an attack is under way. Obviously, automatic detection is better because it occurs faster than a manual process ever could.
If you suspect an attack is in process, you can also:
Any of these signs may be indicative of an attack in progress. Once confirmed, it’s time to invoke the incident response plan. The immediate goal is always to mitigate business impact and get systems available again as soon as possible.
Once an attack has been identified, it must be stopped or mitigated. If enough effort has been put into the planning phase, you should have good strategies in place with business systems prioritized. Some strategies for containment, eradication and recovery
are more expensive than others, so be sure to factor in business criticality and impact. Key areas to consider include:
Usually, no single strategy alone will fully mitigate a DDoS attack. It’s important to take a multi-strategy approach based on your business risk. And the more strategies you use, the more important it is to test them to ensure they will work as
expected when a real attack occurs.
Tabletop and other simulated exercises can help test both tools and processes, and verify they perform as expected. It’s also critical to learn from these activities and adjust the plans, as necessary.
DDoS attacks remain an ongoing threat for many companies, but with the right preparation and incident response processes, the business impact of these attacks can be mitigated. To ensure you have the best defenses in place, make sure you:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 2, 2021
By IANS Faculty
As the end of the year approaches, security leaders are starting to plan their strategic and tactical roadmaps for the year ahead. Here is a list of three security initiatives to consider in 2022.
November 30, 2021
The most valuable server and endpoint security metrics for security teams tend to help improve the security program overall. Here is a list of key server and endpoint security metrics to use for reporting.
November 23, 2021
Understand how data lakes differ from SIEMs, and guidance for planning, building, and securing a security data lake.