It’s inevitable almost as death and taxes: somewhere, at some point, you will come under a DDoS attack.
The reasons for DDoS attacks can vary from cybercrime to hacktivism to simple bad luck, but eventually someone will be out there to try and take you down. The good news, however, is that there is plenty to be done about it.
Five key steps that can prepare you for the anticipated attacks:
1: Map Vulnerable Assets
The ancient Greeks said that knowing thyself is the beginning of wisdom.
It is no surprise, therefore, that the first step to securing your assets against a DDoS attack is to know what assets there are to be secured.
Begin by listing all external-facing assets that might potentially be attacked. This list should include both physical and virtual assets:
- Physical locations & offices
- Data centers
- IP addresses and subnets
- Domains, sub-domains and specific FQDN’s
Mapping out all externally facing assets will help you draw your threat surface and identify your point of vulnerability.
2: Assess Potential Damages
After listing all potentially vulnerable assets, figure out how much they are worth to you. This is a key question, as the answer will help determine how much you should spend in protecting these properties.
Keep in mind that some damages are direct, while other may be indirect. Some of the potential damages from a DDoS attack include:
- Direct loss of revenue – If your website or application is generating revenue directly on a regular basis, then any loss of availability will cause direct, immediate losses in revenue. For example, if your website generates $1m a day, every hour of downtime, on average, will cause over $40,000 in damages.
- Loss in productivity – For organizations that rely on online services, such as email, scheduling, storage, CRM or databases, any loss of availability to any of these services will directly result in loss of productivity and lost workdays.
- SLA obligations – For applications and services that are bound by service commitments, any downtime can lead to breach of SLA, resulting in refunding customers for lost services, granting service credits, and even potentially facing lawsuits.
- Damage to brand – In a world that is becoming ever-more connected, being available is increasingly tied to a company’s brand and identity. Any loss of availability as a result of a cyber-attack, therefore, can directly impact a company’s brand and reputation. In fact, Radware’s 2018 Application and Network Security Report showed that 43% of companies had experienced reputation loss as a result of a cyber-attack.
- Loss of customers – One of the biggest potential damages of a successful DDoS attack is loss of customers. This can be either direct loss (i.e., a customer chooses to abandon you as a result of a cyber-attack) or indirect (i.e., potential customers who are unable to reach you and lost business opportunities). Either way, this is a key concern.
When evaluating potential damages of a DDoS attack, assess each vulnerable asset individually. A DDoS attack against a customer-facing e-commerce site, for example, will result in very different damages than an attack against a remote field office.
After you assess the risk to each asset, prioritize them according to risk and potential damages. This will not only help you assess which assets need protection, but also the type of protection they require.
3: Assign Responsibility
Once you create an inventory of potentially vulnerable assets, and then assign a dollar-figure (or any other currency…) to how much they are worth for you, the next step is to decide who is responsible for protecting them.
DDoS attacks are a unique type of cyber-attack, as they affect different levels of IT infrastructure and can therefore potentially fall under the responsibility of different stakeholders:
- Is DDoS the responsibility of the network administrator, since it affects network performance?
- Is it the responsibility of application owner, since it impacts application availability?
- Is it the responsibility of the business manager, since it affects revenue?
- Is it the responsibility of the CISO, since it is a type of cyber-attack?
A surprising number of organizations don’t have properly defined areas of responsibility with regards to DDoS protection. This can result in DDoS defense “falling between the cracks,” leaving assets potentially exposed.
4: Set Up Detection Mechanisms
Now that you’ve evaluated which assets you must protect and who’s responsible for protecting them, the next step is to set up measures that will alert you to when you come under attack.
After all, you don’t want your customers – or worse, your boss – to be the ones to tell you that your services and applications are offline.
Detection measures can be deployed either at the network level or at the application level.
Make sure these measures are configured so that they don’t just detect attacks, but also alert you when something bad happens.
5: Deploy a DDoS Protection Solution
Finally, after you’ve assessed your vulnerabilities and costs, and set up attack detection mechanisms, now is the time to deploy actual protection. This step is best done before you get attacked, and not when you are already under one.
DDoS protection is not a one-size-fits-all proposition, and there are many types of protection options, depending on the characteristics, risk and value of each individual asset.
On-demand cloud mitigation services are activated only once an attack is detected. They require the lowest overhead and are the lowest cost solution, but require traffic diversion for protection to kick-in. As a result, they are best suited for cost-sensitive customers, services which are not mission-critical, and customers who have never been (or are infrequently) attacked, but want a basic form of backup.
Always-on cloud services route all traffic through a cloud scrubbing center at all times. No diversion is required, but there is minor added latency to requests. This type of protection is best for mission-critical applications which cannot afford any downtime, and organizations that are frequently attacked.
Hardware-based appliances provide advanced capabilities and fast-response of premise-based equipment. However, an appliance, on its own, is limited in its capacity. Therefore, they are best used for service providers who are building their own scrubbing capabilities, or in combination with a cloud service.
Finally, hybrid DDoS protection combines the massive capacity of cloud services with the advanced capabilities and fast response of a hardware appliance. Hybrid protection is best for mission-critical and latency-sensitive services, and organizations who encrypt their user traffic, but don’t want to put their SSL keys in the cloud.
Ultimately, you can’t control if-and-when you are attacked but following these steps will help you be prepared when DDoS attackers come knocking at your door.