According to a recent Neustar report, a distributed denial-of-service (DDoS) attack can cost a company up to $100,000 an hour, not to mention the brand damage and almost certain customer dissatisfaction because of downed websites and support line overload. We cannot afford an attack like this on our network, but I'm also unsure if we can afford to implement DDoS-mitigation hardware. What's the best plan of action in this case? Are there any network-hardening or network-configuration tactics we can employ that are fairly cheap and cost-effective?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
As distributed denial-of-service attacks continue to grow in both size and scope, it's natural for companies to feel the need to protect their systems, customers and reputations. Over the past few years, we've seen DDoS attacks used heavily by both criminals and hacktivists with devastating effects to the systems and reputations of targeted organizations.
The cost of downtime, which has been projected in dollars by some groups, is not a science. The formula for total cost differs for each company because of the following variables:
- When is the attack taking place? Is this attack taking place during an organization's peak business time? Or is it happening during normal hours?
- What is the nature of the company's business? Is this a large financial institution or an SMB? The larger the company, the more money it can lose via an attack.
- What is under attack? If the organization is an e-commerce company and the attackers are hitting its Web servers, the company will likely lose a lot more than if the attackers were hitting mail servers.
- Are the attackers disturbing a service? Many distributed denial-of-service attacks are not completely successful in knocking over a service, but they can slow it down significantly. This is better than being completely shut down.
Companies need to understand these variables in order to figure out the potential financial damage that can be incurred. That said, the reputational cost will most likely be much more in the long term than the initial attack.
Now that we know that the cost of a DDoS should be based off of several variables, let's look at a few ways to help protect a company's network from an attack. It should be noted, however, that as the prevention techniques go up in power and effectiveness, so do the costs of implementation.
It's important to remember that there are two forms of DDoS attacks: the network-centric attack, which aims to overload a service with sheer bandwidth, and the application-layer attack, which aims to overload a service or database with application calls. With this in mind, here are three DDoS prevention techniques to help ward off an attack. But, be forewarned. There is no silver bullet and even with these prevention methods in place, systems are still susceptible to outages and slowed service.
Home-grown hardening of your company's perimeter and DMZ will go a long way toward defending against smaller-level DDoS attacks; it might also help your organization weather some medium-sized application-layer attacks, as well as small to medium-sized network-layer attacks. Determine what you have in place currently and see if you can limit or lessen attacks with your current equipment and systems. This includes, for example:
- Rate limiting on the firewall or load balancers.
- Determining the thresholds that your company's equipment can take for an application layer attack and cutting off or removing a service if needed.
- Creating a procedure to contact your ISP.
- If possible, performing geo-IP blocking on an edge device.
- Configuring monitoring to alert you when there is an uptick in traffic or suspicious traffic overloading a site.
- Implementing an incident response procedure for a DDoS attack and making sure everyone in your group is aware of this response procedure.
DDoS appliances from vendors like Arbor Networks, Check Point Software Technologies, Fortinet, and others like NeuStar also help prevent distributed denial-of-service attacks. These appliances are normally installed at the company's edge and use attack signatures and baselining to detect an attack. While sophisticated, they are also expensive. However, these devices allow for proactive protection -- either inline or in monitoring mode -- that allows the device to put itself in blocking mode when needed. They offer great reporting and alerting and can protect a company's network from various types of DDoS attacks.
Aside from being expensive, another downside to these devices is they require constant management by trained staff, and if it's a network-centric attack, an enterprise is likely at the mercy of its ISP, because if a network-centric attack saturates all available network bandwidth, there's little that one of these devices can do to help.
My last suggestion has the greatest potential for mitigating and absorbing a DDoS attack: using cloud or content delivery network (CDN) vendors to mitigate and remediate the malicious traffic before it even reaches your company's endpoints. Companies like Prolexic Technologies and Akamai Technologies offer services that filter traffic through their own networks before it reaches their customers. When searching for a cloud or CDN DDoS protection provider, look for one that is carrier agnostic and won't lock you into one ISP. These types of installs allow for great baselining of traffic, as well as mitigation of attacks, but they cost the most to implement.
So these suggestions are ways to contain a DDoS attack. Even with these services in place, it's still possible for DDoS attacks to be successful. Taking a layered approach with a few of these suggestions working in tandem will improve a company's chances of surviving such an attack.
This was first published in January 2013