DDoS attack protection can become quite complex and require deep expertise. Yet, there are some basic steps you can take to improve your protection – without requiring any professional help. Here are four actions you can take right now.
1) Run DDoS Testing
This is really the most basic and easiest step. Not performing any DDoS testing is like releasing software without any QA or like allowing an attacker to run the testing for you and identify your weaknesses when it is most painful.
Running DDoS testing is a 3-hour effort. You can hire a company to run it for you or go for a DIY option where you ‘rent’ a platform for 3 hours and generate controlled attacks. In either case, the cost is low, and it always yields great ROI. My experience of running hundreds of tests is that it never fails to provide surprise findings, which can lead you to significant improvements to your DDoS protection.
For example, you might find configuration mistakes that prevent mitigation, that an ISP has hidden limits on the internet line or that the protection solution you’re relying on actually mitigates less than was promised by the vendor. These are all real-life cases that DDoS testing has uncovered.
2) Maximise Your Use of Caching
If you use a Cloud WAF service (regardless of the specific vendor – Akamai, Imperva, Cloudflare or other), then maximizing your use of caching is the easiest way to reduce your attack surface with a single setting change.
Increasing caching levels means that more data will be saved on the servers of your Cloud WAF service provider. In the event of a DDoS attack on one of your assets, such as an e-commerce page, the fact that it is stored on the provider’s network will essentially block the ability to take it down.
For example, in many organizations, the corporate website isn’t well cached, despite 99% of the site content being static. Corporate websites are often the first target of a DDoS attack.
Improving caching may be as simple as activating it or increasing the level of the default caching provided. In other cases, increasing caching levels may require help from R&D.
3) Write Down NOC Procedures
Write down your DDoS attack procedures for your SOC/NOC/first responder teams.
This may sound trivial, but writing down the specific step-by-step tasks and activities to be carried out during a DDoS attack will result in faster and more effective mitigation.
For example, we often find out that the NOC team struggles to differentiate between a DDoS attack and a server failure., Because there is no defined procedure for detecting a DDoS attack, they automatically call IT or DevOps in all scenarios.
In some organizations, the DDoS attack detection procedure can be triggered by a phone call from the Cloud WAF vendor. Yet, other companies may implement an internal alert – if the PRTG network monitor identifies traffic above, say, 600Mb for more than 5 minutes, it sends Slack and text messages to both the NOC and security teams, notifying them of the high probability of a DDoS attack.
4) Use Double DNS
Most organizations today use managed DNS services. If a successful DDoS attack is carried out on your managed DNS service, your own online systems will also become unavailable. If you add a second DNS provider, you’ll have two separate DNS networks running simultaneously, and your services will remain available even if one DNS service is down.
While DDoS attacks on DNS service providers don’t happen every day, consider the 2016 DDoS attack on Dyn that affected dozens of companies. There was also a recent Facebook outage that, though not related to the DDoS attack, was caused by DNS issues.