What Your Credit Union Can Do Against DDoS Attacks

by Pierluigi Stella, Network Box USA, Inc.

by Pierluigi Stella,  Network Box USA

As it was at the end of the year wherein we were asked to make forecasts, so too was the scenario at the beginning of a new year, with the difference being the question uppermost in people’s minds was, “where should I spend my money this year?”.

Note that the two aren’t necessarily unrelated; there’s a certain level of correlation, of course, between knowing what to expect and knowing where to spend the money.  So, going back to our ‘predictions’, if we’re to expect more DDoS attacks (as I write this, I just learned that another large company was under attack and, consequently, one of my customers had to delay some major changes in their network), we need to start considering that these attacks will not always target large companies.

Increasingly, smaller companies are falling victim to DDoS attacks, most times for ‘fun and lulz’, other times for specific and varying reasons – whatever the agenda, the result is always the same.  The small company is simply unprepared to fend itself and business stalls until the attack is over.

So what do you do?

This is rather a conundrum because a DDoS defense can cost well into the hundreds of thousands of dollars, and it makes little to no business sense to spend that kind of money simply because maybe, someday, someone might possibly attack my network for 2 hours or 2 days!

The approach I would take here is similar to how we consider Disaster Recovery (DR) projects – consider the risk, evaluate how much you stand to lose if the attack lasts, say, 2 days, and investigate the probability of this truly happening.  Next, put a number to all this, if you can, and compare it with the cost of defenses.  A small DDoS defense starts at around $25,000 but it can go very, very, very high.  The difference lies in the power of the hardware, which translates into how many packets per second you can fend off.  Something between 200 and 300 thousand is already a large number; consider that if the attack is more severe, your ISP will suffer as well and you may not be the only one having problems.  Therefore, attempting to implement too large a defense isn’t only costly, but, quite possibly, useless.  You should try to set up defenses against small attacks, small enough to not cause issues to the ISP but large enough to cause issues to your network.

There are other things you can do as well.

Most of these attacks are targeting the application layer, not the SYN packet layer anymore.  For instance, if you only have 2 DNS servers, a DOS attack which takes both of them down will, in effect, render your domain inaccessible from the Internet because no one can find your IP addresses (wait long enough for the TTL to expire and your domain would have gone into oblivion).   If possible, try and set up multiple DNS servers, in different geographical locations, and hosted by different providers.  There isn’t any point in having all of them hosted with one provider – if they’re under attack, all their customers end up being unreachable!

In talking about application layer attacks, you also need to consider which applications you have, that are exposed to the Internet, and which protocol they use.  Most likely, you’re using some form of web server; a DDoS combined with a web application attack is more than likely.  If you have web applications, a WAF is almost mandatory.  Do not hope that a firewall and a traditional IPS can do the whole job.

An IPS cannot distinguish between a legitimate URL and one trying to send a “delete all the database” command to your server – well, not always anyway.  A WAF on the other hand, is built to do just that.

Finally, if you can and have the resources, make yourself a moving target.  The cloud is your friend in this case.  Put your resources in the cloud (so if the attack happens, they aren’t really attacking your corporate network – rather selfish thinking, but hey, it’s survival of the fittest!); then keep a copy somewhere else, and have the DNSs set up in such a way that you can easily point resolution to one of the resources.  Should one be under attack, hopefully the other is far enough (logically and physically) that you can simply move your DNS to it and continue business as usual.

Of course if someone really wants you down, and has the resources to take you down, the truth of the matter is, there is almost nothing you can do.  But by adopting smart defenses, you may be able to fend off a ‘normal’ attack by some bored hacker.

Pierluigi Stella

Pierluigi Stella

With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network ... Web: www.networkboxusa.com Details

Featured