Distributed Denial of Service Attacks (DDoS) were one of the most concerning attack trends in 2013/2014 for security engineers, IT personnel, business owners and government officials. According to the X-Force Intelligence Report, DDoS attacks were second only to SQL Injection. The upsurge of recent DDoS activity has been credited to politically motivated attackers who routinely organize "operations” and target the infrastructure of governments or companies that they perceive as enemies. Common targets of these organizations include banks, schools, non-profit organizations, small businesses, enterprises and newspapers. Banks, however, seem to be the primary focal point for these attackers. According to a recent survey by the Ponemon Institute, as many as 64% banks surveyed have been hit by at least one DDoS attack in the last 12 months. The anatomy of a Denial of Service attack is very complicated. Depending on the tools and resources available to the attacker, the attack may be initiated using a single computer targeting a single resource, or it could be millions of computers sending millions of packets to a single or multiple targets. In almost all cases, hackers will first compromise hundreds or thousands of computers, add them to botnets, and use them as sources of the attack. Using botnets provides three advantages: 1) it allows an attacker to exponentially increase the amount of traffic used in the attack therefore increasing the likelihood of success;2) makes the attack geographically disperse and therefore harder to mitigate; and 3) it allows the attacker to hide their identity so they won't get caught. To add to the complexity, authors of modern day tools used for these attacks include constantly-changing evasion techniques to further reduce the likelihood of detection. Regardless of the motivations, tools, or methods used to deliver this malicious activity, system administrators, security engineers and IT personnel face the daunting challenge of defending their network resources from these attacks. To effectively prepare for and mitigate DDoS attacks, the security professionals must have a mitigation plan in place, provide around-the-clock monitoring, and have a response plan in the event they do get attacked. IBM Security and IBM Security X-Force recommended that customers use the following best practices to protect themselves against these attacks. Best Practice #1 – Secure Your Network The first step is to secure all of the network resources in your infrastructure, not just resources that may be susceptible to denial of service. Protecting your network infrastructure will help stop attackers from compromising servers, laptops, desktops and other resources used build botnets which can then participate in denial of service attacks from inside your network. IBM Security appliances can help prevent assets from being compromised, provide protection against application layer attacks, and help prevent and low- to mid-volume network DDoS attacks. There are several steps you need to take to secure your network resources. Perform frequent scans on your web services and ensure that you fix your vulnerable web applications to reduce the risk of compromise. Perform frequent scans on your network assets and ensure that all vendor patches for operating systems and network applications have been applied to reduce the risk of compromise. Ensure that your network is protected by intrusion prevention and other threat management systems to help protect your network assets from being compromised, defend against low to medium volume DoS attacks, and help mitigate exposure to layer 7 DoS attacks. Ensure that you have an advanced SEIM solution in place to take advantage of consolidated security event reporting, log collection, and anomaly detection which will help detect DDoS activity and detect and mitigate advanced persistent threats used to compromise network assets. Best Practice #2 - Plan, Recover, Detect and Mitigate The second step is to ensure that you have chokepoints throughout the network to detect and mitigate Denial of Service attacks, as well as capacity plans, expertise, and processes in place to recover from a DDoS attack. Consider deploying a managed service that provides: Constant 24 x 7 monitoring and mitigation of Denial of Service attacks The right mix of processes, people, and technology to defend your infrastructure from both volume-based and application-based DDoS attacks Tools to help plan for and implement the resource capacity that can scale to your organization A plan for normal volume surges as well as DDoS attacks by testing and setting a baseline for current network, web, and application resources (including private virtual environments as well as public cloud service providers) Traffic limiting and load balancing within the existing environment to help customers keep their network running while under attack Deployment of an edge device or a farm of devices with the capacity to handle anticipated surges and allows valid traffic and block bad traffic. Alert and notification procedures, assigned priority levels, call-out lists, response and escalation actions, communication activities and other considerations To obtain more information about IBM DDoS solutions, contact your IBM sales team and reference the following URLs: IBM DDoS Solution Descriptions - http://www-935.ibm.com/services/be/en/itservices/managed-ddos-protection.html IBM DDoS Video - http://asld01.elearn.ihost.com/ibmdemos/jay/security/ddosdemo.swf