Defending Against DDOS Attacks

The substantial increase in remote work and education, use of technology including Virtual Private Networks (VPN) connections, and reliance on various online services and resources raises cybersecurity concerns as organizations may be subject to cyberattacks, such as distributed denial-of-service (DDOS) attacks. DDOS attacks can disrupt the availability of networked devices, services, or resources as well as distract or weaken operations while other malicious activity is underway. There are several types of DDOS attacks. Volumetric attacks are a common type where bots, which are compromised devices used to generate DDOS traffic, flood the network’s bandwidth by sending a high number of false requests to every open port. Another type is application-layer attacks, which target and interfere directly with web traffic by attacking HTTP, HTTPS, DNS, or SMTP protocols. Finally, protocol attacks target parts of the network where connections are verified and threat actors send purposefully slow or malformed pings so that a lot of resources are consumed to verify the pings.

The number and scale of DDOS attacks are increasing as cyber-criminals use many types of devices and target different parts of the network. For example, the increase in Internet of Things (IoT) devices connected to networks can be used to increase the amount and power of botnets. The size and complexity of this trend is evident in the DDOS attack of Hungarian financial institutions and telecommunication services, which was reported to be the most powerful and biggest cyberattack they encountered with the volume of traffic at 10 times higher in this attack than the amount typically observed in DDOS attacks. In addition, Flightradar24, the popular Swedish internet-based flight tracker, suffered three DDOS attacks over 48 hours. Looking a little closer to home, the NJCCIC continues to receive reports of DDOS attacks impacting the education sector. As teachers and students continue virtual learning, it's imperative that services remain available to continue educational instruction during the COVID-19 pandemic.

Organizations can employ the following defensive measures to create a more cyber resilient environment to reduce the risk of DDOS attacks:

• Security awareness training: Train employees to help better understand cyber threats and provide a strong line of defense, especially when working remotely.
• Defense-in-depth cybersecurity strategy: Implement a defense-in-depth cybersecurity strategy and access controls, including applying the Principle of Least Privilege, enabling multi-factor authentication (MFA), utilizing a Network Access Control (NAC) solution for connectivity into internal networks, and establishing a comprehensive data backup plan.
• Device security: Ensure devices and routers are up to date, secure, and protected to reduce the risk of unauthorized access. This includes changing all default passwords to strong passwords, updating with the latest security patches after appropriate testing, discontinuing the use of vulnerable devices that have not been patched by the vendor, and disabling Universal Plug and Play (UPnP) on routers unless it is necessary for business operations.
• Network and resource segmentation: Distribute servers and critical data in different data centers to ensure they are located on different networks with diverse paths.
• Vulnerability assessment and penetration testing: Regularly check for and remediate exploitable security flaws and vulnerabilities.
• Firewall and router configurations: Configure firewalls and routers primarily to block unauthorized IP addresses, close unnecessary ports, disable port forwarding, and prevent DNS and ping-based volumetric attacks.
• Network traffic monitoring: Understand your own network traffic patterns, continuously monitor network traffic, and recognize abnormal activity that would indicate a DDOS attack regardless of volume and duration. Look for warning signs such as network slowdowns, spotty connectivity, or irregular website shutdowns.
• DDoS resiliency plan: Establish Business Continuity, Disaster Recovery, and Incident Response Plans that include DDoS protections through Internet Service Providers (ISP) and/or a third-party firm that specializes in DDOS mitigation. Contract a backup DNS provider to maintain continuity in the event of an attack on primary DNS infrastructure. While these services do not guarantee that attacks will not result in outages, most organizations are not capable of defending against the many varieties of attack tactics on their own.
• Incident reporting: Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form. 

Resources

• NJCCIC Cybersecurity 101: Best Practices
• NJ Statewide Information Security Manual (SISM)
• CISA Security Tip (ST04-015): Understanding Denial-of-Service Attacks
• National Institute of Standards and Technology (NIST): DDOS Mitigation Techniques
• United States Computer Emergency Response Team (US-CERT): DDOS Quick Guide
• US-CERT Alert TA16-288A – Heightened DDOS Threat Posed by Mirai and Other Botnets
• FBI Public Service Announcement – Internet of Things Poses Opportunities for Cyber Crime
• MS-ISAC - Guide to DDOS Attacks