Distributed Denial of Service Attacks (DDoS) were one of the most concerning attack trends in
2013/2014 for security engineers, IT personnel, business owners and government officials. According to
the X-Force Intelligence Report, DDoS attacks were second only to SQL Injection.
The upsurge of recent DDoS activity has been credited to politically motivated attackers who routinely
organize "operations” and target the infrastructure of governments or companies that they perceive as
enemies. Common targets of these organizations include banks, schools, non-profit organizations, small
businesses, enterprises and newspapers. Banks, however, seem to be the primary focal point for these
attackers. According to a recent survey by the Ponemon Institute, as many as 64% banks surveyed have
been hit by at least one DDoS attack in the last 12 months.
The anatomy of a Denial of Service attack is very complicated. Depending on the tools and resources
available to the attacker, the attack may be initiated using a single computer targeting a single resource,
or it could be millions of computers sending millions of packets to a single or multiple targets. In almost
all cases, hackers will first compromise hundreds or thousands of computers, add them to botnets, and
use them as sources of the attack. Using botnets provides three advantages: 1) it allows an attacker to
exponentially increase the amount of traffic used in the attack therefore increasing the likelihood of
success;2) makes the attack geographically disperse and therefore harder to mitigate; and 3) it allows
the attacker to hide their identity so they won't get caught. To add to the complexity, authors of
modern day tools used for these attacks include constantly-changing evasion techniques to further
reduce the likelihood of detection.
Regardless of the motivations, tools, or methods used to deliver this malicious activity, system
administrators, security engineers and IT personnel face the daunting challenge of defending their
network resources from these attacks. To effectively prepare for and mitigate DDoS attacks, the security
professionals must have a mitigation plan in place, provide around-the-clock monitoring, and have a
response plan in the event they do get attacked. IBM Security and IBM Security X-Force recommended
that customers use the following best practices to protect themselves against these attacks.
Best Practice #1 – Secure Your Network
The first step is to secure all of the network resources in your infrastructure, not just resources that may
be susceptible to denial of service. Protecting your network infrastructure will help stop attackers from
compromising servers, laptops, desktops and other resources used build botnets which can then
participate in denial of service attacks from inside your network. IBM Security appliances can help
prevent assets from being compromised, provide protection against application layer attacks, and help
prevent and low- to mid-volume network DDoS attacks.
There are several steps you need to take to secure your network resources.


Perform frequent scans on your web services and ensure that you fix your vulnerable web
applications to reduce the risk of compromise.
Perform frequent scans on your network assets and ensure that all vendor patches for operating
systems and network applications have been applied to reduce the risk of compromise.


Ensure that your network is protected by intrusion prevention and other threat management
systems to help protect your network assets from being compromised, defend against low to
medium volume DoS attacks, and help mitigate exposure to layer 7 DoS attacks.
Ensure that you have an advanced SEIM solution in place to take advantage of consolidated
security event reporting, log collection, and anomaly detection which will help detect DDoS
activity and detect and mitigate advanced persistent threats used to compromise network
assets.
Best Practice #2 - Plan, Recover, Detect and Mitigate
The second step is to ensure that you have chokepoints throughout the network to detect and
mitigate Denial of Service attacks, as well as capacity plans, expertise, and processes in place to
recover from a DDoS attack. Consider deploying a managed service that provides:







Constant 24 x 7 monitoring and mitigation of Denial of Service attacks
The right mix of processes, people, and technology to defend your infrastructure from both
volume-based and application-based DDoS attacks
Tools to help plan for and implement the resource capacity that can scale to your organization
A plan for normal volume surges as well as DDoS attacks by testing and setting a baseline for
current network, web, and application resources (including private virtual environments as well
as public cloud service providers)
Traffic limiting and load balancing within the existing environment to help customers keep their
network running while under attack
Deployment of an edge device or a farm of devices with the capacity to handle anticipated
surges and allows valid traffic and block bad traffic.
Alert and notification procedures, assigned priority levels, call-out lists, response and escalation
actions, communication activities and other considerations
To obtain more information about IBM DDoS solutions, contact your IBM sales team and reference the
following URLs:
IBM DDoS Solution Descriptions - http://www-935.ibm.com/services/be/en/itservices/managed-ddos-protection.html
IBM DDoS Video - http://asld01.elearn.ihost.com/ibmdemos/jay/security/ddosdemo.swf