| | OCTOBER 20179CIOReviewsophisticated Layer 7 (Open Systems InterconnectionOSI Network Layer) DDoS attack may target just specific areas of a website, making it even more difficult to separate from normal traffic. Consider that a Layer 7 DDoS attack might target a specific website element only (e.g., company logo or a unique page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics while other exploits exfiltrate sensitive information or install ransomware--all the time your IT staff are consumed fighting the DDoS attack. While bad actors conducting DDoS attacks often target sites or services hosted on high-profile web servers such as e-tailers, banks, or credit card payment gateways, any organization can be hit. Motivation runs the gamut from activism, revenge, blackmail/extortion, or terrorism. Worse still, as technology advances so do the many ways to launch a DDoS attack. Out on the dark web there are freely available network stressors and DDoS tools that can be acquired, configured, and controlled via botnets and other command and control tools. More advanced tools include nation state-backed "Internet Cannons" that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.Since DDoS attacks can be extremely complex; there is a need for multiple layers of defense in depth to be able to keep up with the latest threats. While you can hope you are not targeted, that is not a sound strategy. You should proceed as if you will be targeted or hit and take proactive steps now. So, with defense in depth in mind, let's talk about 10 of those proactive steps, as a combination of strategy and tactics that you could take in advance.1. Take assessmentobjectively and honestly determine your strengths, gaps, vulnerabilities, and threats; hire a qualified 3rd party if necessary2. Adopt a frameworkthis is the foundation to your entire enterprise-level security program and DDoS protections within it; NIST, ISO, SANSpick one3. Incident response planCreate and regularly practice an all-hazards plan with a crisis communication plan built in4. Solid router and firewall configslook to expert advice from the OEM and for solid "hardening standards"5. Traffic threshold monitoringfind out what "normal" amounts of traffic to your sites look like and then create a threshold to alert on6. Cloud based DDoS defense systemslots of great vendors; check the think thanks for ratings and ask other colleagues for their experiences7. Enhanced DNS protection servicessame as above; the best spot and stop trouble before it ever gets close to your network8. IDS/IPSUse next generation firewalls with built-in intrusion detection and prevention (IDS/IPS) coupled with Border Gateway Protocol (BGP) to stop DDoS attacks.9. WAF--A web application firewall (WAF) acts like an anti-malware tool that blocks malicious attacks on your website(s). It sits above your application at the network level to provide protection before the attacks reach your server. As a bonus, using a WAF not only protects you against DDoS attacks, but also generally improves application performance and enhances user experience.10. Upstream filteringprovided by your ISP, includes reputation based blocking - a feature called Unicast Reverse-Path Forwarding to silently drop--or "blackhole"--the bad traffic. With forethought and planning, you don't have to rely on hope when it comes to dealing with DDoS. Motivation runs the gamut from activism, revenge, blackmail/extortion, or terrorism
<
Page 8 |
Page 10 >
