Preparing for denial-of-service incidents
Denial-of-service (DoS) attacks aim to exhaust your resources and take your operations offline. They can have a significant effect on your business operations and are important to prepare for.
There are three types of DoS attacks, those which:
- attempt to exhaust bandwidth with a flood of requests (also called a volumetric DoS attack)
- attempt to consume network-level resources with a flood of packets (also called a protocol DoS attack)
- attempt to flood a web server with a large number of valid requests, or a small number of specially crafted invalid requests (also called an application layer DoS attack).
DoS attacks frequently use multiple sources to send traffic to the target, this is referred to as a distributed-denial-of-service (DDoS) attack.
Protecting against each type of DoS attack requires a slightly different approach.
We have seen that DoS attacks can have a significant impact on business operations. Even if they don’t take down a system or a service for long, a well-timed attack during peak hours or against time-sensitive services can have substantial ongoing effects. Reducing the impact of these attacks requires some planning.
The following steps can help you prepare for a DoS event.
1. Understand your environment
The first step in protecting your organisation is to understand what systems and services are accessible from the internet. These might include:
- customer-accessible websites or services
- staff-dependant websites or services (such as web mail or VPN systems)
- supporting infrastructure services (such as DNS)
- network equipment that sit at the public edge of your networks (such as firewalls and gateways)
- any systems you host on third-party networks (such as cloud-based or infrastructure-as-a-service).
2. Identify what needs protection
Once you understand your environment, you can identify which systems or services pose the most risk to your operation should they be subject to a DoS attack and taken offline. This includes the critical business processes that rely on the systems and services you identified as these are the ones that will need protecting.
In determining this list, ask yourself the following questions.
- If this system or service went offline, would this have a negative impact to your customers or staff?
- If this system or service went offline, could your business continue to carry out important operational processes and functions?
- For any of these situations, how long could these systems or services be offline before the business is unable to withstand and survive the impacts?
- What other services would be affected by an attack against this system? For example, if a volumetric attack was launched against your website which shares an internet connection with the rest of your organisation, what other impacts would there be?
Now that you know which systems and services need protecting, you’ll need to determine which controls are going to be most effective in protecting them. For example:
- Hosts running web services are vulnerable to application layer DoS attacks. They will need controls that can separate bot traffic from real traffic on your website.
- Any internet facing infrastructure or services can be vulnerable to protocol DoS attacks. They will need controls that can detect when bots are exhausting resources before the host is overloaded.
- Any internet connection is vulnerable to volumetric DoS attacks. They will need controls that can absorb or re-direct large spikes in bandwidth.
3. Understand what your internet provider can control
Your internet or network service provider can put certain protection controls in place. For instance, they are best placed to implement controls that support and protect against volumetric DoS attacks, as the bandwidth hitting your system will need to pass through their network first. They may provide a “scrubbing” service to remove the DoS traffic without interrupting legitimate traffic.
These services are likely to cost more, make sure you talk to your provider about your requirements. It’s a good idea to have these discussion early as these will need to be in place prior to an attack taking place.
It is important to find out how much traffic the provider can manage before they feel the impact and your organisation is affected.
4. Implement additional controls
You’ll also need to put controls in place so the attack can be mitigated before it reaches your system or service. This might involve adding a network or service upstream from your system. Examples of these controls include:
- Content Distribution Networks (CDN)
- specialised network devices
- other managed services.
We have more information on DoS mitigations.
5. Document your incident response plan
Once you’ve implemented the controls appropriate to your critical websites and services, you’ll need to document or update your incident response plan. The unique nature of DoS attacks makes them a great playbook for demonstrating how your organisation should respond.