DDoS Best Practices
A distributed denial-of-service attack (DDoS) is one of the toughest foes a site can face — and nowadays one of the most high-profile. Companies, governments, and political organizations often find themselves under attack, and many times the attackers want “credit” for the attack. Yet, despite this, most DDoS attacks on large sites are foiled and aren’t reported widely. For users and site owners, they’re noise under the surface that they don’t hear.
Our team must pay close attention to DDoS attacks in part because there are so many of them. We see small DDoS attacks every day, with an average amount of 150,000 connects per second. Those are easily managed. It’s when we see millions of connects per second that we have to take more aggressive action.
We’re able to manage most attacks on our clients’ sites, but we do find it useful to be purposefully vague when we discuss our mitigation techniques in public. We don’t want to tell attackers how we handle their attacks — doing that just tells people how to hack us more effectively.
Instead, we focus on sharing best practices. Here are five steps sites can take that make DDoS attacks less frequent and, when they do happen, less debilitating.
- Assume you are always under attack.
Due to the size and scale of the Internet and the countermeasures that the good guys have put into place, more than 99% of the time a DDoS attack doesn’t have a major effect; once in a while there’s a massive attack that does. Why are there so many attacks? Because standard Internet practices make it so easy. For example, reverse path filtering is turned off by default on most routers. Since DDoS attacks tend to come from spoofed IP addresses, turning on reverse path filtering at the ISP level (customers can’t do it themselves) can be an effective way of countering them. And spoofed IP addresses make up but one category. There are many different types of DDoS attacks (DNS, http, etc.); make sure your defenses account for all of them.
- Be wary of phishing.
It’s a lot easier to attack something if you have keys to what you’re attacking. Phishing is a highly effective way to gain website credentials. Needless to say, that’s important for countering more than just DDoS attacks. The satirical website The Onion recently had its Twitter compromised; its engineers have posted a useful, transparent report of how that happened, including a useful “don’t let this happen to you” list of bullet points for staying phish-free. DDoS attacks get the headlines, but they’re far from the only security concern.
- Work with a content delivery network (CDN).
Yes, we’re in the CDN business at Verizon Digital Media Services, but this is good advice. Many people think of CDNs primarily as a way to deliver content more quickly — and it is — but another major benefit of signing up with a CDN is that the additional layers of protection that come with a CDN. The distributed nature of a CDN also helps absorb DDoS attacks. CDNs also monitor their networks 24/7 and have both automatic and manual resources in place to reduce the impact of attacks; in many cases the customer doesn’t have to worry about it.
- If you work with a CDN, don’t make exceptions.
We find customers can run into problems when they publish nearly all of their content on a CDN, but for some reason put 2% or so of their public-facing content on a static server. A savvy DDoS attack can target the 2% of content hanging out there and bring down the whole site. How a site distributes content is quite important.
- Audit regularly.
Don’t let the attack be the first time you test your defenses. Auditing makes sure your mitigation plans work as expected. And you may want to have a cloud-based security provider manage this — it’s a way to make sure you’re ready for the 3 a.m. attack without being awake yourself.
Just as the first rule of Fight Club is you do not talk about Fight Club, the first rule of countering DDoS attacks is not to boast about how you are at countering DDoS attacks. The day-in, day-out success of the Internet shows how good a job security and network engineers are doing, but vigilance on the part of customers makes it a lot easier for those engineers to keep sites up and running.