Is your disaster recovery plan DDoS ready?

Australia and the rest of APAC trails behind global counterparts when it comes to perimeter protection. Almost half of all APAC organisations are taking over three hours to detect a DDoS attack and an extra three hours to respond to one, which is significantly higher than global averages.

Worryingly, a slow response to an attack can cause huge damages to a company’s bottom line, with research showing that organisations stand to lose on average $100,000 per hour of downtime during a peak period following a successful DDoS attack.

Particularly here in APAC, not only does the time to detect and respond take longer but also the frequency of attack is greater. Alarmingly, 77 percent of APAC organisations have been attacked in the past year, with just under half of attacked APAC organisations suffering six or more attacks.

With APAC organisations suffering on average up to six attacks per year and taking up to six hours to respond post-detection, they stand to lose millions of dollars each year – downtime is not an option. Based on the above figures, it appears that APAC organisations are particularly unprepared in regards to DDoS attack mitigation.

While most IT departments have some kind of disaster recovery plan in place to avoid downtime caused by events such as natural disasters, many still only consider emergency mitigation in the event of a DDoS attack rather than prepare ahead. However, given the greater likelihood of a DDoS attack happening, IT leaders should seriously consider preparing for a DDoS attack within their disaster recovery plans.

In preparing a disaster recovery plan, businesses must carefully consider the necessary steps to be taken in event of a DDoS attack or risk being left vulnerable to downtime, financial loss, emergency mitigation costs or even extortion plots. Broadly, a DDoS disaster recovery plan should include detection, mitigation, ownership and testing.

Detecting a DDoS attack

There are a several ways to monitor both physical and virtual cloud environments for potential DDoS. NetFlow monitoring for example is an effective method for identifying traffic anomalies that might be a DDoS attack. A large organisation that operates its own 24/7 network monitoring team can monitor NetFlow from border routers and detect when a volumetric flood occurs. NetFlow can also be remotely monitored through third parties by exporting sampled NetFlow to a security operations centre (SOC).

NetFlow monitoring is not fool proof however. Some low volume attacks can slip by NetFlow monitoring because they do not cause a spike in bandwidth utilisation or packet rate. Regardless, the vast majority of DDoS attacks should be detected by properly tuned Netflow monitoring.

For environments where NetFlow monitoring is not an option, such as cloud, a cloud-based monitoring service can be used to look for degradation in performance, CPU utilisation or latency.

Finding the right mitigation method

To mitigate a DDoS attack, companies should firstly look at which product or service suits them. To achieve this, organisations must understand and quantify the risk DDoS attacks impose, from both a business and technology perspective, and then select and size a solution to fit.

Currently, there are several mitigation solutions in the market with different price and performance considerations.

Several low cost content delivery network (CDN) style services can offer inexpensive DDoS protection, however they may impose usability issues and be unable to stop a significant attack.

DDoS mitigation appliances can be effective against certain types of attacks, however large-scale floods can overwhelm circuit capacity and render the appliance ineffective.

On demand cloud where network traffic is redirected to a mitigation cloud is reliable and cost effective. However, it is dependent on swift failover to the cloud in order to avoid downtime. Automation can be employed to assist.

Always routed cloud, on the other hand, involves the redirection of web traffic on a constant basis. The constant redirection can affect network latency, even during non-attack conditions, and additional services may be required to address application layer attacks.

Adopting a DDoS mitigation approach that includes a managed appliance and cloud (hybrid) is the best option, yet can be costly. The appliance will stop any DDoS attack within the circuit capacity feeding the network, and automatically trigger cloud mitigation, if the circuit is in danger of becoming overwhelmed.

Determining responsibilities during an attack

Who takes ownership during a DDoS attack is an important consideration for any disaster recovery plan. It entails determining who the primary and secondary responsible parties are for the tasks that need to be performed.

Companies must determine who will receive detection alerts and what are they to do with those alerts, who will execute the mitigation plan, and what areas within the business will be notified.

Responsibilities can extend outside of security and technology teams, for example, to customer support to minimize impact on clients and partners, and marketing for crisis communications and brand protection.

Security and technical responsibilities and activities must also go beyond simply mitigating the DDoS attack. With increasing frequency, DDoS attacks are used in concert with other attack vectors, such as malware and ransomware activation, and network breach.

Testing your plan

A well-documented and rehearsed mitigation plan is vital – mitigation activities are time critical. Regardless of the protection method being deployed, it’s good practice to test it periodically. Just like a fire drill, periodic testing can not only eliminate gaps or issues in responding to a DDoS attack, but can also prepare the responsible owners to perform their required actions when an actual event occurs.

Conclusion

To “win the fight before the battle is fought”, it’s critical to define a disaster recovery strategy preemptively. That way, during an actual DDoS attack, an organisation can enact its plan and minimise downtime and financial loss.

Without such a plan, attacked organisations will likely face network outage, and risk both financial and data loss, and leave themselves exposed to other attack vectors. Mitigation providers offer emergency mitigation services, yet these services are costly and largely limited to DNS based redirection. Depending on such a service is not prudent, unless it is proven to be adequate and aligns with the risk imposed on the organisation by the threat of a DDoS attack.

Ultimately, a well-defended network will protect your organisation from both financial and reputational damage, and discourage subsequent attacks – leading the wolf from your door / leaving hackers hunting for a softer-target.

By Robin Schmitt, General Manager, Australia at Neustar