Distributed denial-of-service (DDoS) attacks, whereby hackers attempt to render online systems unavailable by flooding them with network traffic from various sources, are growing more prevalent and powerful. A study by security firm Prolexic indicated that the average DDoS attack, measured in gigabits per second, grew more than 900 percent from the first quarter of 2013 to the second quarter. And subsequent Prolexic analysis revealed that, although the duration of attacks may have subsided, the sheer number of incidents recently hit an all-time high.
Any government agency could be the target of a DDoS attack, effectively preventing it from delivering services necessary to accomplish its mission. Therefore, it is important to mitigate potential DDoS attacks against networks, systems and applications. Here are some tips.
Tip 1: Prepare your computing infrastructure.
Some DDoS attacks can overwhelm an infrastructure with the volume of packets they send, using up all available bandwidth and preventing regular traffic from passing through. Others consume different resources — for example, by establishing numerous connections to a web application to prevent legitimate users from accessing it. An agency's infrastructure should include extra "breathing room" so minor attacks won't cause a denial of service. If an agency normally consumes 90 percent of its Internet bandwidth for everyday activity, for example, it wouldn't take much for an attacker to generate enough traffic to eat up what's left.
In general, Internet connections should have enough bandwidth overhead so that small DDoS attacks cannot easily overwhelm them. Likewise, web servers that face the Internet and other publicly accessible resources should support reasonable numbers of concurrent connections. Agencies might also want to set low timeout thresholds for establishing connections — long, drawn-out session handshakes are fertile ground for DDoS attacks.
Tip 2: Use DDoS appliances to filter traffic.
Several companies offer DDoS mitigation appliances, which are specialized devices that inspect raw network traffic, identify DDoS activity, and either throttle or block suspicious activity so that benign traffic can get through. DDoS appliances are deployed either at the very edge of an agency's network perimeter (outside the firewall) or at an Internet service provider.
It is important to filter out malicious traffic before it reaches the primary computing infrastructure because firewalls, routers and other devices can be overwhelmed by a DDoS attack.
Tip 3: Subscribe to a DDoS mitigation service.
This new class of security service, which is typically cloud-based, performs many of the same functions as a mitigation appliance, intercepting DDoS traffic before it reaches the agency's infrastructure. Often, such services are configured to redirect suspicious network traffic to the provider's cloud at the first sign of a DDoS attack. The cloud has the resources to handle high volumes of DDoS traffic. The mitigation service then filters out malicious traffic and forwards normal data to the agency's infrastructure.
There are some distinct advantages to using a DDoS mitigation service. A managed service that has knowledge of attacks affecting one customer's infrastructure can leverage that information to better protect the infrastructure of other customers. Another potential benefit is the real-time response to emerging DDoS attacks.
The primary disadvantage of using a DDoS mitigation service is the increase in network latency it may cause. When active, the service routes all network communications — bad and good — to the provider's infrastructure, where even benign traffic is analyzed before being routed back to the agency's network. Still, with the rapid rise of DDoS attacks, a slightly slower response time is vastly preferable to a full-blown denial of service.