DDoS made easy: 5 steps to selecting a provider

Make no mistake about it – credit unions have been put on alert by NCUA to prepare for DDoS attacks. The problem is no one is telling them how! When new threats hit the news, a wave of new “flavor of the day” vendors leap into the market. All it takes is a good marketing campaign and a splashy logo and “experts” are born (remember Pandemic and Y2K?). Your members rely on you to make vendor selections that protect their sensitive data. So what should you look for in a DDoS vendor?

We’ve put together a checklist of important points to help you navigate the DDoS vendor selection process.

1)     Understand that it is not just about DDoS – DDoS is just one of many cybercrime threats making its way into the nightmares of credit union CIO’s.  As they race to implement another acronym driven solution (IDS, IPS to name a few) to protect their perimeters, an army of hackers plot their next move essentially nullifying your efforts before you can complete the installs!  Key points to remember:

  • Remember credit union budget cycles are notoriously SLOW
  • Remember hackers are notoriously fast at exploiting vulnerabilities and/or creating new threats
  • Plan for “When”, Not “If”

2)     Ask your peers – The credit union industry is known for its grassroots movement philosophy and open collaboration. Reach out to your peers – what are they doing? Have they experienced an attack? If so, how long? What’d they do? Did they have to enlist the aid of an external partner for mitigation?  (See where I’m going with this?) Referrals beat RFPs ANY DAY

3)     What type of threats are they protecting against? It might appear to be a simple four-letter word but DDoS attacks range wildly in complexity and scope. Our friends at RadWare developed this table to help CIO’s methodically and deliberately narrow down their pool of possible vendors and to make selection easier. Don’t go to the bargaining table without this!

DDoS Threats

Attack Type

Attacking Target

Detection

Mitigation

 

Yes? No?

SYN Floods

TCP Out-of-State Flood
ACK Floods
Garbage Floods
Request Floods
Packet Anomalies Flood

HTTP Floods

Get Requests
Post Requests – Variable Values
Invasive HTTP Vertical Scanning
Invasive HTTP Horizational Scanning
Put Requests
Search Engine Floods

UDP Floods (Non DNS)

UDP Floods (Non DNS) ICMP Echo Request (Ping) Flood

SSL Computing

SSL renegotiation SSL vulnerability
SSL traffic HTTPS flooding
SSL handshake Computation power

HTTP (Get/Post) Flood Attack

HTTP Get/Post Flooding Bandwidth
Processing Power
HTTP vulnerability Protocol / RFC

Slow Rate Attacks (AKA RUDY or R-U-Dead-Yet)

Slow HTTP Post requests Processing Power
Connections / Sessions
Memory

Partial data / transaction attack

Application data integrity Application security control weakness

SMTP flood

Application data integrity Application security control weakness

FTP flood

Application data integrity Application security control weakness

DNS Threat

DNS traffic DNS volumetric attacks
DNS spoofing attacks
DNS amplification and reflection
Protocol flaw DNS ID hacking
DNS cache poisoning
DNS root server attacks

SIP / UCS Attacks

Protocol flaw SIP Protocol Anomaly Attack

SQL Injection

Code injection SQL database

Attack Techniques

Volumetric attacks

HashDoS
TCP/UDP/ICMP Flood
SYN/Push/ACK Flood
Malformed DNS queries / packets
High volume properly formatted DNS queries
DNS amplification / reflection attacks

RFC/Compliance Attacks

HashDoS
Apache Killer

Compute Intensive Attacks

Slowloris
SlowPost
New variant – Slow Read
Valid but CPU/memory intensive web/database requests

Brute Force Attacks

Zone Enumeration / Dictionary Attacks- DNS Brute Force
Invalid Website Input Parameters Attack
Search Engine Request Attacks
HTTP Brute Force

Buffer Overflow Attacks

Buffer Overflow DNS

Anti-Automation Attacks

Other Attacks

HTTP Get Flood

 

LOIC or Variants

 

HOIC or Variants

 

HTTP Post Flood

 

nkiller2 (TCP Persist)

 

SIP Call-Control Flood

 

THC

 

Recoil

 

Rudy

 

Hulk

 

XerXes DoS

 

#RefRef DoS

 

4)     Determine their mitigation strategies – Blackholing should NOT be your only DDoS mitigation strategy unless you are comfortable being completely offline for days/weeks on end. Depending on your credit union RTO/RPO, you will want the DDoS attempt identified and remediated fast enough to meet your goals AND to continue providing critical services to your members during that time. Questions to ask the vendor:

  • What are the various configuration options available and how do I determine which one fits our strategic objectives?
  • How quickly does your solution work to detect and mitigate?
  • How do you detect legitimate users vs attackers?
  • Is the solution cloud-based or require an appliance onsite (either could be a great option for you but you need to understand the difference between each)?

5)     Verify the vendor’s expertise – As I shared earlier, new threats (or new NCUA requirements) often bring a wave of new vendor choices.  You will want to verify your potential DDoS partner has:

  • Technical Expertise – This goes without saying. Look under the engine.
  • Resources – DDoS attacks can go on for days. A 1-2 person shop isn’t going to be effective in this situation. Look for a vendor with a resource pool to sustain 24/7 remediation work.
  • Credit Union Knowledge – Partnering with a vendor who understands your industry yields far superior engagements because you can speak the same language. Your vendor should be able to understand your business processes and help you to identify areas of weakness in your impact analysis and then design a solution based upon your risk assessments.

Considering that while you read this post, 4,263,291 unauthorized packets knocked on your firewall door, I’d say you need to get moving (yes, I made that number up – but who knows, it could be higher).

For more information on DDoS/Cyber-Threats, download a courtesy copy of our eBook. 

Robin Remines

Robin Remines

Robin Remines brings an exciting combination of strategic vision and tactical finis to the OGO Executive team. Prior to joining Ongoing Operations, Ms. Remines served as Vice President, Information Technology ... Web: ongoingoperations.com Details