Publication: October 28, 2022 Cybersecurity and Infrastructure Security Agency
Understanding and Responding to Distributed Denial-of-Service Attacks
Table of Contents
Overview (3)
DoS and DDoS (3)
What Steps Should You Take Before a DDoS Attack? (4)
What Do You Do If You Think You Are Experiencing an Attack? (6)
What Do You Do After a DDoS Attack? (8)
Reporting (8)
Acknowledgements (9)
Disclaimer (9)
Resources (9)
Overview
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint guide to provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
DoS and DDoS
Denial-of-service (DoS) attacks are a type of cyberattack targeting a specific application or website with the goal of exhausting the target system’s resources, which, in turn, renders the target unreachable or inaccessible, denying legitimate users access to the service. Although many forms of DoS attacks exist, the most common types are the following:
1.Network resource overload consumes all available network hardware, software, or
bandwidth of the target.
a.In a direct network resource overload attack, the cyber threat actor overloads
resources using tactics, such as exploiting a server vulnerability or inundating
servers with requests.
b.In a reflection amplification attack, the threat actor consumes network
resources by reflecting a high volume of network traffic to the target. The actor
use a third-party server (the “reflector”) as an intermediary that hosts and
responds to the given spoofed source IP address.
2.Protocol resource overload consumes the available session or connection resources of
the target.
3.Application resource overload consumes the available compute or storage resources of
the target.
A DoS attack is categorized as a distributed denial-of-service (DDoS) attack when the overloading traffic originates from more than one attacking machine operating in concert. DDoS attackers often leverage a botnet—a group of hijacked internet-connected devices—to carry out large-scale attacks that appear, from the targeted entity’s perspective, to come from many different attackers. A wide variety of devices may make up a botnet, including Internet of Things (IoT) devices. IoT devices are internet-connected and often use default passwords and lack sound security postures, making them vulnerable to compromise and exploitation. Because infections of IoT devices often go unnoticed by users, an attacker could easily assemble hundreds of thousands of these devices into a formidable botnet capable of conducting a high-volume attack. Further, after establishing a botnet, a cyber threat actor may
rent it out to other potential attackers in an “attack-for-hire” scheme, which enables unskilled users to launch DDoS attacks.
The more traffic a DDoS attack produces, the more difficulty an organization will have responding and recovering from the attack. The increase in traffic also increases the difficulty of attribution because it makes the true source of the attack harder to identify. Although the impact of DDoS attacks may often be negligible—depending on the scale of the attack—it could be severe and include loss or degradation of critical services, loss of productivity, extensive remediation costs, and acute reputational damage. Organizations should include steps to address these potential effects in their incident response and continuity of operations playbooks.
Although a DDoS attack is unlikely to impact the confidentiality or integrity of a system and associated data, it does affect availability by interfering with the legitimate use of that system. Because a cyber threat actor may use a DDoS attack to divert attention away from more malicious acts they are carrying out—e.g., malware insertion or data exfiltration—victims should stay on guard to other possible compromises throughout a DDoS response. Victims should not become so focused on defending against a DDoS attack that they ignore other security monitoring.
In a progressively interconnected world with additional post-pandemic remote connectivity requirements, maintaining the availability of business-essential external-facing resources can be challenging for even the most mature IT and incident response teams. It is impossible to completely avoid becoming a target of a DDoS attack. However, there are proactive steps organizations can take to reduce the effects of an attack on the availability of their resources. What Steps Should You Take Before a DDoS Attack?
•Understand your critical assets and services. Identify the services you have exposed to the public internet and the vulnerabilities of those services. Prioritize assets based on mission criticality and need for availability. Implement ways to lower the risk of an
attack by committing to good cyber hygiene (e.g., server hardening, patching).
Determine whether your web application firewall (WAF) covers your critical assets and is configured in a Deny state.
•Understand how your users connect to your network. Identify the disparate ways your user base connects to your organization’s network, whether onsite or remotely via
virtual private networks (VPNs). Identify potential network chokepoints and any
mitigations that may minimize disruptions to key personnel.session和application的区别
•Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust
protections against larger or more advanced DDoS attacks. Protect systems and
services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network. Organizations should enroll in a DDoS protection service after completing a review of critical assets and services. See CISA's Free Cybersecurity Services Catalog for services that may be freely available.•Understand service provider defenses. Engage with your ISP and cloud service provider (CSP) to understand existing their DDoS protections. Review service agreements to determine:
o the protections your service providers offer to assist in mitigating DDoS attacks and
o any risks posed by gaps or limitations in coverage.
Speak with your service providers about best practices for hosting web servers while using their DDo
S protections.
•Understand your dedicated edge network defenses. Speak with a managed service provider (MSP) about specific managed services that guard against DDoS attacks.
MSPs offering different technologies on the “edge” can assist with a customization of edge defenses. Edge defense services can reduce downtime caused by DDoS attacks.
Edge defense, detect, and mitigation services reduce the risk of malicious traffic
reaching its target, and greatly increase the chances of legitimate users reaching your websites/web applications.
•Design and review (High-Availability/Load-Balancing/Colocation) designs. Review system/network designs and eliminate single points of failure, such as a high-value-assets (HVA) hosted on a single node. Ensure HVAs are capable of high-availability (HA) and/or load-balancing (LB) across multiple nodes. Colocation of HVA services serves as
a good technique for business continuity. However, the best method to guard against
DDoS is stopping the attack by either upstream service provider defenses or DDoS protections in your local datacenter.
•Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks.
All internal stakeholders—including your organization’s leaders and network
defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include
understanding the nature of a DDoS attack, confirming a DDoS attack, deploying
mitigations, monitoring and recovery. Note: your DDoS response plan should be part of your organization’s disaster recovery plan.

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。