DDoS attacks can be incredibly disruptive, hence it is critical that organisations track developments in this rapidly-changing field and understand how to effectively mitigate attacks in real-time.
F5 Networks encouraged Middle East organisations to improve their DDoS attack awareness-levels and defenses to cope with growing threats in the region. “DDoS attacks are a significant concern in the region and beyond, and they’re expected to intensify over time as cybercriminals and hacktivists engage in an ‘arms race’ of sorts to seek out new ways to wreak havoc,” said Diego Arrabal, VP, Southern Europe and Middle East, F5 Networks, speaking ahead of this week’s Gartner Security & Risk Management Summit in Dubai.
According to survey by BT last month among key IT decision-makers, 41 per cent of organisations globally were hit by DDoS attacks over the past year, with three quarters of those (78 per cent) targeted twice or more. The survey reported that organisations take on average 12 hours to recover from the attacks, and customer complaints jumped by at least 50 per cent as a result.
In the event of a suspected attack, F5 Networks encourages organizations to :
Verify that there is an attack – Rule out common causes of an outage, such as DNS misconfiguration, upstream routing issues and human error.
Contact team leads – Gather the operations and applications team leads needed to verify which areas are being attacked. Make sure everyone agrees on which areas are affected and at risk.
Triage applications – Make triage decisions to keep high-value apps up and running. When under an intense DDoS attack and there are limited resources, focus on protecting revenue generators or other crucial applications.
Protect remote users – Keep business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Populate the list throughout the network and with service providers as needed.
Classify the attack – What type of attach is it? Volumetric? Slow and low? Service providers will identify if the attack is solely volumetric and may already have taken remediation steps.
Evaluate source address mitigation options – For advanced attack vectors that service providers can’t effectively mitigate, determine the number of sources. Block small lists of attacking IP addresses at the firewall. Block larger attacks with geolocation capabilities.
Mitigate application layer attacks – Identify the malicious traffic and whether it’s generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with distinct countermeasures, which may be provided by existing solutions.
Leverage the security perimeter – Still experiencing issues? You could be confronting an asymmetric layer 7 DDoS flood. Focus on application-level defenses: login walls, human detection, or Real Browser Enforcement.
Constrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit, is a last resort—as it can turn away both good and bad traffic. Instead, you may want to disable or blackhole an application .
Manage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you’re being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.