[BreachExchange] 10 Masterful Steps In Combating Denial Of Service Attacks

Destry Winant destry at riskbasedsecurity.com
Wed Jan 9 02:16:12 EST 2019


https://hackercombat.com/10-masterful-steps-in-combating-denial-of-service-attacks/

We could define DDoS (Distributed Denial of Service) attacks as the
exclusive appropriation of a resource or service with the intention of
avoiding any third party access. Also included in this definition are
the attacks destined to collapse a resource or system with the
intention of destroying the service or resource. DoS attacks are born
as a natural consequence of the Internet’s own architecture. It is not
necessary to have great knowledge to carry out this type of attacks
and it is not as risky as making a direct attack against a server,
this type of attacks uses other intermediate equipment to then be able
to erase traces.

For example: If a server has a bandwidth of 1mbps and a user has a
bandwidth of 30mbps, this user could deny the server service by making
many requests and dropping their bandwidth. There are three basic
types of denial of service:

- Resource consumption: The attacker tries to consume the resources of
the server until they are exhausted: bandwidth, CPU time, memory, hard
disk …
- Destruction or alteration of the configuration: An attempt is made
to modify the information of the machine. These types of attacks
require more sophisticated techniques.
- Destruction or physical alteration of the equipment: Attempt to deny
the service by physically destroying the server or some of its
components, cutting the connection cable, or the power cable. We will
focus on the first type of attacks.

The proliferation of tools has been growing thanks to the emergence of
communities of intruders who, with a lot of organization and very
little response time, manage to move from a beta version to their
final version of their tools. This makes the difficulty of dealing
with them increasingly greater. The tools used to create DDoS attacks
are increasingly simple and easy to use for less experienced users,
this also increases the number of attacks and the damage they cause.

Motivated for both financial and political reasons, DDoS attacks are
becoming more prevalent. Although a first attack can occur in a
random, these occur frequently when a attacker with specific knowledge
of high value targets service decides to put it offline. This can
cause panic and cause costly decisions, including the payment of a
ransom, to prioritize and stop the attack.

If we analyze the operation of DDoS we will realize that there are no
100% reliable solutions against them. Current solutions are based on
classic firewalls and intrusion detection systems.

The following are the 10 steps to mitigate against DDoS attacks:

Check the attack

Not all interruptions are caused by a DDoS attack. Incorrect DNS
settings, Routing problems, and human error are causes of common
network interruptions. First, system admins have to rule out these
types of non-DDoS attacks and distinguish an attack of a common
interruption. The quicker the verification that the interruption in
the service is an attack DDos, a faster can response can be
established. Even if the interruption was not caused for an erroneous
configuration or other type of human errors, there may be other
explanations that resemble a DDoS attack.

Contact the team leaders

Once the attack has been verified, contact the leaders of the relevant
teams. If there is no quick reference sheet or contact list prepared
earlier, create one now, which can be used as a template going
forward. When a service interruption occurs, the organization may
convene a formal conference call that includes several of the
operational teams and of applications. If the organization has a
procedure of this kind, use this meeting to officially confirm the
DDoS attack on the leaders of equipment.

Define application hierarchy

Once the attack has been confirmed, reclassive the applications. When
facing an intense DDoS attack with resources limited, organizations
must make a decisions based-on the defined hierarchy. Online assets of
highest value usually also generate high value gains. These are the
applications that firms usually want to keep alive. Lower value
applications, regardless of their level of legitimate traffic, must be
disabled intentionally so that the processing, use of resources and
network can be cleverly allocated to application services of greater
value. Seek the opinion of team leaders before doing this.

Protect fellow associates and remote users

It is very likely that there are fellow employees or clients who
require access to applications or networks. If still it has not done
so, collect the IP addresses that they always use, defining access
control based-on it, which needs to be regularly reviewed. It is
possible that the white list has to be distributed to several places
within the network, such as in the firewall, the Application Delivery
Controller (Application Delivery Controller, ADC), and possibly even
with the service provider, to ensure that the traffic to and from
those directions is not disrupted. Many companies put TLS users VPNs
in white lists or provide them quality-of-service Usually this is
achieved in a integrated firewall / VPN server, which can be great
importance if you have a significant number of remote employees.

Identify the attack

Now is the time to gather intelligence technique about the attack. The
first question that should be done is: “What are the vectors of the
attack?” If the attack is only volumetric, the Internet Service
Provider will have informed the sysadmin and it may be that it has
already taken actions to remedy the DDoS attack. Although,
well-equipped organizations use existing monitoring solutions such as
deep packet capturing devices, for a more deeper probe.

Evaluate mitigation options by original address

If step 5 above has identified that the campaign uses advanced attack
vectors that the service provider can not mitigate (like zero-day
attacks, vulnerability attacks on applications, or SSL injection
scenario), then the next step become the next Question: “How many
sources are there?” If the list of aggressor IP addresses is small,
The system through the use of firewall can block them all. Another
option would be to ask the ISP to widen the IP blocks of those
targeting the local network. The list of aggressor IP addresses can be
too big to be blocked in the firewall. Each address that are added to
the block list will encourage processing and increase the CPU
utilization. But it is still possible to block the attackers if
everyone found in the same geographical region or within of a few
regions that can be block temporarily.

Mitigate attacks against applications specific through patching

If the issue reached this step, then the DDoS attack is sophisticated
enough to make the mitigation by address of ineffective origin. The
attacks that fall into this category can have been generated by DDoS
tools of varying quality, many of which are open source. These attacks
look like normal traffic in layer 4, but they have anomalies that
alter the services at the server, application, or database level.

Increase the level of security posture of applications

If this step is reached in a DDoS attack, levels 3 and 4 are already
mitigated, has evaluated mitigations for application-specific attacks,
and continues to experience problems. This means that the attack is
relatively sophisticated, and its ability to mitigate will depend in
part on the target applications. It is very likely that the
organization is facing one of the most difficult modern attacks: the
attack asymmetric to applications.

The best defense against these asymmetric attacks depends on the
application. For example, organizations like financial institutions
know their customers and are capable to use logon barriers to reject
anonymous requests. Industry applications of entertainment as hotel
websites, for On the other hand, many times they do not know the user
that they agrees to make a reservation. For them, A CAPTCHA can be a
better deterrent.

Limit resources

If all previous steps fail to stop the DDoS attack, the system admin
may be forced to simply limit resources to survive the attack. This
technique rejects both good and bad traffic. In fact, limit the
capacity in many cases rejects 90 to 99 percent of desirable traffic
at the same time that allows the aggressor to increase the costs of
operations in a data center. For many organizations it is better to
disable an application instead of just accepting defeat and unfairly
increase cost of operations, like spending a lot for a bigger
bandwidth allocation.

Manage public relations

Financial organizations, in particular, can have internal policies
related to responsibility that prevent them from admitting when an
attack is happening. This can become a situation complicated for the
person responsible in public relations. Reporters, however, may not
accept this type of evasions, especially if the site seems to be
completely out of order. The organization may do the following:

- For the press. If the policies of the industry allow the
organization to admit when they have been attacked from the outside,
do it and be frank about it. Yes a policy dictates that the firm must
divert questions, argue in a clever way against mostly IT-ignorant
press, but be sure to prepare for the next press release. However,
this is rather unlawful nowadays due to the security/privacy laws are
operating in many territories, just like the European Commission’s
GDPR (General Data Protection Regulation) and similar laws.
- For internal staff, including anyone that can be contacted by the
press. The firm’s Internal communication team should give directions
about what to say and what not to say to the media. Or better yet,
tell staff members to direct all questions related to the event to the
person in charge of Public Relations, include their contact number.


More information about the BreachExchange mailing list