DDoS Threat Intelligence Report

DDoS Defense

Surviving DDoS Attacks

Strategies and Best Practices

Adversaries abound, threats continue to grow, and networks go through trial by fire way too soon, but all is not lost. It is our belief that a well-prepared network can withstand any DDoS attack. Achieving this state requires the right equipment, planning, testing, training, and continuous improvement. A general state of preparedness for any threat, DDoS included, can be achieved by following NIST guidelines.

SIX PHASES OF INCIDENT RESPONSE


Phase 1 Preparation

Prep the network, create tools, test tools, prep procedures, train team, and practice.

We believe preparation is the most crucial step, because it involves not just implementing the technology needed to detect and mitigate DDoS attacks but also providing the necessary training to operate these tools with high confidence.

Phase 2 Detection

How do you know about the attack? What tools can you use? What’s your process for communication?

Phase 3 Classification

What kind of attack is it?

Phase 4 Traceback

Where is the attack coming from? Where and how is it affecting the network?

Phase 5 Reaction

What options do you have to remedy? Which option is the best under the circumstances?

Phase 6 Postmortem

What was done? Can anything be done to prevent it? How can it be less painful in the future?

Typically, we see DDoS attacks as external threats, but we’ve seen adversaries launch internally facing DDoS attacks, effectively bypassing traditional DDoS defense solutions. In addition to tracking inbound DDoS attack vectors and rates, however, it becomes equally important to track any outbound C2 communications to known DDoS botnet nodes and subsequently to identify when any internally infected bot nodes begin launching high volumes of traffic outbound.

The following steps are methods for enhancing detection for both inbound and outbound DDoS attacks:

1
Track and block malicious traffic

Monitor for specific patterns that trigger amplified traffic, and use threat intelligence feeds to identify and block traffic from known bot nodes and C2 communications.

2
Rate-limit unwanted traffic

Implement rate limiting on uncommon applications and services to detect and prevent abuse of these protocols as a preemptive countermeasure.

3
Apply internal and external detections

Use both external-facing detections and internal monitoring to identify outbound DDoS attacks and compromised systems.

4
Utilize filter lists and patch management

Employ reputation databases and custom filters, and ensure that all on-net devices are updated and patched to minimize vulnerabilities, investigate irregularities, and regulate traffic flow effectively.

Final Thoughts

Today’s connected world has a pressing need for comprehensive detection and mitigation strategies that address the complexities of modern DDoS threats, even as adversaries indiscriminately pummel organizations of all types. The rapid evolution of attack tactics, especially among emergent ASNs, demands continuous monitoring and adaption. Threat intelligence is a cornerstone in defending against DDoS attacks. It provides the insights necessary to anticipate and counteract malicious activity. By implementing robust security measures, leveraging threat intelligence, and fostering collaboration among sectors, organizations can enhance their resilience against the growing threat landscape.