With so much DoS and DDoS information going around from popular websites, CUNA, NCUA, and FBI, it’s hard to know what you can actually trust and what you can do to mitigate. I just wanted to take the time to sift through all of the information and provide a navigation guide for you.
The truth is that there are many little mitigation tactics on a variety of websites, different vulnerability assessments you can do, but if the bandwidth of the targeted attack is larger than the pipe it’s attacking, then there is not much you can do to defend the company against it. You can have an asset that is larger than the potential threat, but that gets expensive. The other option is to have fault tolerant systems. There aren’t many cost-effective solutions available.
So what should you do to mitigate DDoS attacks and conduct your own vulnerability assessment? The first step is to understand that you need a DDoS Mitigation Plan in place that states exactly who is in charge of what. You most likely already have contacts that will help in the event of a DDoS attack. You just need to make sure you know what services they offer, paid or free, and have a contact plan. Most companies, like credit unions, have their IPS and or Firewall managed, so they should also have contacts and numbers of the ISP, managed Firewall, managed IPS, and any other critical service provider. That alone is half the battle and will give you bonus points from an auditor. What you don’t need to do is bust the company’s budget by getting an expensive DDoS mitigation package (unless the company can afford it).
The second thing you need to do is build a strategy around your assets so that they are fault tolerant. What do you need to have a strategy for? The following assets are what you will need to build your DDoS mitigation plan around in case these assets become stressed:
1.) Server
2.) Host-Based IPS (HIPS) on that server
3.) Internet Circuit (Ethernet, T1, Cable, DSL)
4.) Internet Router
5.) Internet Facing IPS
6.) Internet Facing Firewall
7.) Local Area Network (LAN) Facing IPS
So, if an attack happens on one of these assets, what do you do? A company should work closely with its Internet Service Provider (ISP) as that Internet Service Provider is usually the company’s best chance at neutralizing the threat, unless the company is working with an expensive third party DDoS Mitigation Company. This means that you should have a documented DDoS mitigation plan that includes a contact, phone number, and list of both paid/free services the ISP offers. Many times the ISP can just block the incoming traffic for you free. Call up your ISP and see what they offer.
If your company is taking advantage of offsite hosting it is imperative that you get the hosting company’s DDoS Mitigation Plan as well.
Simple vulnerability assessment steps you can take right now:
1.) Prepare your mitigation plans. This doesn’t mean that you have to create a book on steps you need to take, but it does mean that you should have some sort of plan in place.
2.) Disable All Unnecessary Ports. The best way to do this is to simply use Nmap to find out what ports are running and close them.
3.) Use Access Control Lists to limit access to only specific hosts, ports, and services required.
4.) Update your anti-virus software. The best way to accomplish this is to use some sort of anti-virus management console to make sure all machines are updated with the most current signatures.
5.) Make sure you are consistent with your patching. You should be using some sort of patch management console to make sure that you are using the most current patches after Patch Tuesday.
The most effective thing you can do is stay very consistent. That means that you have a system in place to make sure that the steps above are being adhered to and followed without fail. Using a calendar notification for these things work well.
Leave a Reply