How to Repel DDoS Attacks
A series of attacks on on key internet infrastructure brought down a slew of major websites and applications—Twitter, Etsy, Github, Spotify, Reddit, and Netflix, among others—on Oct. 21. The attack went on in waves throughout the day, disrupting millions of people’s lives and costing companies millions of dollars in revenue and productivity.
The distributed denial of service—DDoS—attacks largely came from a network of tens of thousands of non-PC devices connected to the internet, things like cameras, appliances, routers, speakers, that were co-opted to route millions of requests to servers belonging to Dyn, a major DNS service provider. Some of Dyn's datacenters and servers on the East Coast were overwhelmed by the deluge, preventing them from resolving DNS requests from legitimate users and servers.
The short version of our findings:
There are no silver bullets for warding off DDoS attacks
Have backup DNS in place and ready to be switched on
Ensure that non-PC devices, such as routers, printers, etc., are secured (no default passwords)
Startups with millions of users or enterprise clients should look to specialists for help in this realm. It can be a complicated and time-consuming task for an application engineer to take on.
What is DNS?
DNS forms one the backbones of the web. It translates readable letter-based URLs into the numerical IP addresses on which the web actually runs. Companies have different methods and servers to resolve DNS requests, from the basic, out-of-the-box solutions that comes from a web registrar, to complicated, networked solutions that include multiple redundancies based in the cloud.
In the wake of this attack, startups and companies should review their own plans and ability to deal with a similar campaign targeting their servers and customers. Most companies don't require a massive, and expensive, phalanx of solutions.
But startups and growing companies should have a thoughtful approach of how to mitigate and be prepared for a targeted DNS takedown of their own servers, or of any vital providers, including those, like DYN, that provide DNS services.
According to German insurer Allianz, the number of cyber attacks now tops 115,000 per day, costing the world's economy $450 billion annually. The specter of attacks grows every day, as there may be as many as a trillion devices connected to the web by 2020.
"Ultimately, if a malicious actor wants to deliberately target your organization, preventing them from doing so will be an uphill climb," says Jim Nitterauer, a security expert at AppRiver, which supplies solutions for secure cloud-based email and cyber security. "However, if you do nothing, there is nothing that will protect you from a DDoS attack when needed. Bottom line, don’t be the low hanging fruit."
We've mined our own experiences and talked with dozens of experts and people with experience in fending off DDoS attacks to provide a simple guide to ensuring your startup is reasonably prepared for something that remains a constant threat:
There exist no 100% solutions to DDoS attacks, only ways to curb their effectiveness
The best thing a startup can do is to ensure less sophisticated attacks will be ineffective against its application. To do that, startups need to prepare ahead of time.
"The time to investigate these services isn't when you're experiencing an attack. It’s best to research your options and contract with a provider beforehand, so you can see quick response if an attack happens," emphasizes Rachel Kartch, the monitoring and response analysis team lead in the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University.
There are services and providers who can mimic these types of situations, which will allow startups to test their defenses and their readiness.
For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary. It’s not elegant, but it works. Volumetric attacks are something of an arms race, and many organizations won't be able or willing to pay for pipes to scale to the level of some of the very large recent attacks, but for an organization with the money and the ability to manage a large infrastructure, oversized, dynamic bandwidth can absorb many attacks, Kartch says.
Startups that are particularly sensitive to such attacks, because of the business they may be in or the service they may provide, should investigate and implement with cloud providers who specialize in scaling infrastructure to respond to attacks, and who implement cloud scrubbing services for attack traffic to remove the majority of the problematic traffic before it ever hits the startup's network or application.
Have backup DNS
Many of the major companies affected by Dyn's outage easily mitigated the problem by switching to their backup DNS provider, resulting in down-times of minutes instead of hours. This is something that companies of any size can do. Simply pick a different company to provide secondary DNS services, and leave it turned on in the background.
It will cost some additional money to keep the backup system turned on, but it's quite cheap for what the startup gets in exchange. When something goes sideways with the primary DNS provider, a company only has to redirect its nameservers to the secondary DNS provider and it systems should be back online quickly.
Waiting until there is a major problem to find a secondary DNS provider can cost a company multiple hours of up-time, and in some cases even a whole day. The losses of revenue, goodwill, and reputation are not worth the cost and labor savings of not setting up a backup system ahead of time.
Secure non-PC devices
Things like cameras, printers, and light switches, the leading edges of the Internet of Things, should only be connected to the Web if they're actually going to utilize the connection, says Val King, president and CEO of Whitehat Virtual Technologies.
Otherwise, keep these things off networks.
For devices that need to be connected, ensure that their default username and passwords have been modified to something unique to the business. Many of the devices used in the October attacks on Dyn were easily taken over and incorporated into the botnet because they were still using default usernames and passwords.
"The lessons from this attack are clear," King says. "Traditional AND non-traditional IoT devices that connect to the Intranet via Wi-Fi, etc. to the network need to be incorporated into your Cybersecurity plan."
All web applications and services, including IoT devices, should be behind a firewall. Assets should never be connected directly to the internet unless they are actually designed to be (like a firewall). "This limits communications directly to them that can be used in a DOS attack," says Morey Haber, vice president of technology at BeyondTrust, a cyber security firm.
Look to specialists, and examine existing service providers
Most startup engineers will be focused on the company's application and building it out. They may not have deep expertise in server and firewall construction, which is fine, and to be expected. That's why it's best, in most cases, to leave DDoS mitigation and protection to an outside vendor, if a startup reaches critical mass.
As a startup grows, it may want to consider more and more complex and nuanced solutions for defending its application and users from malicious disruptions—this, too, should be something left to experts and specialists outside the startup. Unless the startup is in the business of security, it's more productive for engineers to spend their time building, honing and improving the company's own product.
"It's just not the business you're in, especially if you're a startup," says Joshua Danielson, director of information security at Copart.
Startups should also examine their current server, cloud, and security vendors to see if they can filter traffic and limit exposure to DoS and DDoS attacks. Sometimes a simple security tool blocking bad traffic can mean all the difference in the world, says Haber of BeyondTrust.
As a startup gets bigger, and its business more important to more users, it should examine adding more levels of mitigation
Filtering requests and web traffic is one way to defend against malicious requests. This gets harder to do when the attackers are using a wide network of far-flung devices, like in the Dyn attack, but it's still a basic tenet of defending against common and less sophisticated disruptors.
Nirupama Mallavarupu, the founder and CTO at MobileArq, a New Jersey company that builds software for PTAs and schools, says startups can utilize open source software solutions to help with some of this.
She uses software called Fail2Ban to prevent some DDoS attacks. It scans log files for malicious IPs and dynamically adds those to firewall rules to reject them from being accepted.
At the application level, MobileArq will deny requests from the same IP address after a certain number of rapid reloads or failed login attempts.
During an attack, Mallavarupu advises startups to change the rules in their web servers so that the countries from which the attack is emanating from are banned and so are the IP addresses and subnets from where the attacks emerged.
At one point, MobileArq was often receiving messages that attackers from Eastern European countries were attempting to login to its marketing site as an administrator. The company implemented Google Sign-In, a free API that can utilize two-step authentication, for its administrator logins and completely shut-down all such attempts, as the bots tend to move on when confronted with a complicated, multi-step login process.
Defending an application from all malicious attacks can be difficult. Constructing a leak-proof boat here is nearly impossible. But there are simple steps to ensure that the majority of simple attacks are easily repelled.
Startups who spend a few extra hours to ensure these easy measures are implemented will easily dodge many of the outages that plague competitors and others.
When a startup grows to a sufficient size and becomes a critical asset or pipeline for its customers, founders should consider consulting with outside experts on how best to manage the company’s application infrastructure to guard against determined attacks.
Some defenses can grow complicated and nuanced, and it’s often not the best use of time to have an internal engineer, who may not be an expert in the area, spend large swaths of time learning and configuring a company’s mitigation measures.