Sean Leach, VP of Technology for Verisign, says that - as more and more people realise that in today's cyber climate Distributed Denial of Service (DDoS) attacks are a matter of when, not if - the most common question he gets asked is "What can I do to prepare?"
He likes to break it down into five key steps that enterprises can take now to be prepared for a future attack:
1. Centralise Data Gathering and Understand Trends
This is true across all security topics, but the last thing you want to be is blind when a DDoS attack hits. Generally the DDoS attack timeline goes something like this for the head of network operations:
- 9:00 am - your monitoring system starts lighting up like a Christmas tree and your phone is blowing up with SMS alerts saying "the site is down."
- 9:01 am - your CEO calls you screaming "why is the site down?!?!?!?!"
Hopefully, you can answer that question, but without proper metrics and data gathering you can't possibly hope to identify the root cause. It could be a network circuit down, data centre failure, DDoS attack, etc. With proper data gathering and monitoring in place, you can quickly identify a DDoS attack as the cause, and you can start the process of getting the website back up and running. It's critical to identify the cause early as DDoS attacks can be quite complex and the sooner you jump on identification and remediation, the sooner the site will be back up.
At minimum, the metrics you should gather include:
- Inbound and outbound bandwidth on all of your network circuits, peering connections, etc.
- Server metrics: CPU load, network and disk I/O, memory, etc.
- Top talkers: top sources and destinations of traffic by IP and port.
- If you are running a web site, you need to understand items like top URLs being requested (vs. the top URLs usually beingrequested), top HTTP headers, HTTP vs. HTTPS traffic ratios etc.
All of these metrics (and there are many more I didn't cover) should then be sent to a central logging and correlation system so you can view and compare them from a single viewpoint. This helps you spot trends and quickly identify the sources and method of the attack. This is especially important when it's a very complex attack where it might not be an obvious issue (e.g. it's easy to see when your network bandwidth is saturated, but when it's a botnet simulating clicking the "Add to Cart" button to overwhelm your database resources, that isn't as easy to spot; especially if you are trying to piece data from many disparate systems).