In-Depth
4 Best Practices for Mitigating DDoS Effects
These four best practices will help government and political organizations mitigate the effects of DDoS attacks.
By Mike Paquette, Chief Strategy Officer, Corero Network Security
The IT security community has followed the appearance of Internet-based distributed denial of service (DDoS) attacks over the past 10 to 12 years. Y2K saw the appearance of the first widespread DDoS attacks, disrupting "anchor" Internet sites of the time, and 2004 to 2006 saw the onset of widespread criminal extortion under threat of DDoS attack, initially targeting online gaming sites. Starting in 2009, we've begun to experience the third wave of DDoS attack activity. Attacker motivations have become more diverse, going beyond the pursuit of illicit financial gain; unfair business advantage, ideological activism, and political activism now drive these types of cyber-attacks.
As if the worries of government IT -- preventing and dealing with data breaches, advanced persistent threats (APTs), cyber-espionage, cyber-warfare, identity management, and compliance issues -- were not challenging enough, now DDoS attacks are appearing as a frequent threat.
DDoS attacks on Estonia's government Web sites surprised officials in 2007. Georgia came under attack in August 2008. High-profile DDoS attacks hit U.S. and Korean Web sites in 2009 and South Korea's government Web sites again suffered DDoS attacks in mid-2010. In November 2010, Burma was essentially taken off the Internet by a DDoS attack, interestingly, just days before the country's first elections in 20 years.
The increasingly common use of DDoS attacks as a mechanism for ideological and political activism indicates that these cyber-attacks will represent a material threat to governments worldwide in 2012 and beyond.
The impacts of DDoS attacks on government IT infrastructure can include:
- Interruption of critical government services
- Inability to hold free and fair elections
- Loss of tax and/or fee revenue
- Loss of citizen trust in government or government administration
- Loss of government employee productivity
- Negative publicity
- Smokescreen to hide other information-stealing attacks
In late 2011, DDoS attacks in Russia, and again in Korea have placed the topic of DDoS attacks at the heart of electoral politics, with claims made that high-level officials, in attempts to sway election results, used DDoS attacks as a mechanism of propaganda, censorship, information withholding, and unfair political advantage.
Back in July 2011, the U.S. Department of Defense (DoD) released its DoD Cyberspace Strategy that included specific items about defending against DDoS attacks. It's now time for other government entities to create their own cyberspace strategies; plans for DDoS defense should be included. State Boards of Elections, Secretaries of State, and City, Town, and Local governments need to take special care to protect their Web sites against possible DDoS attacks.
Beyond government targets, individual candidates and political party Web sites are also likely DDoS attack targets. In the U.S., it is hard to imagine that individual candidate campaigns would sponsor a DDoS attack against an opponent, but it is not hard to imagine that fringe groups, loosely associated with one political party or another, might employ these cyber-attacks to help their party generally (or even an individual candidate) in certain elections. Reminiscent of how elaborate schemes were created to circumvent campaign-funding restrictions, one can imagine similar schemes being used to secretly supply cyber-attack capabilities to a party's candidates.
These truly politically motivated DDoS attacks appear against an existing backdrop of ideologically motivated DDoS attacks that may also target one political party or even all major political parties.
Although DDoS attacks cannot be prevented outright, organizations are not defenseless. By working with their Internet service providers and deploying specialized DDoS defense technologies and services, government and political organizations can mitigate the effects of DDoS attacks to ensure that election-based information, voting details, and general political services remain available over the Internet. There are several steps that government agencies and political campaigns can implement to reduce their risk.
These four best practices can help organizations mitigate the effects of DDoS attacks.
Best Practice #1. Create a DDoS response plan far in advance of election season
In 2012 and beyond, government organizations with any responsibility for elections should assume that their Web presence will suffer one or more DDoS attacks. A DDoS response plan lists and describes the steps that these organizations should take if or when their IT infrastructure is attacked. The plan includes steps for contacting Internet service providers (often these are also other local, state, or federal government agencies), characterizing the attack, taking mitigation steps, and possibly invoking disaster recovery measures.
As with many plans, the true value is in the planning process before an attack happens. Waiting until an attack occurs is the wrong time to find out that there are no resources available to mitigate the attack and restore voter services.
Best Practice #2. Adopt a layered approach to DDoS defense
Generally speaking, there are two classes of DDoS attacks: high-bandwidth network layer floods and lower-volume application layer DDoS attacks. Election-oriented organizations should adopt multiple layers of DDoS defense. Even if your Internet provider already supplies a DDoS attack mitigation service to help defend against network flood DDoS attacks, organizations also need an on-premise DDoS defense solution to fight increasingly frequent application-layer DDoS attacks.
Best Practice #3. Secure Web applications and servers that contain election-related information
Web applications are the common vehicle through which the critical election-related information of governments, political parties, or candidates makes its way to constituents, pundits, and voters. It's crucial to maintain secure Web applications and secure Web servers. Both information management and IT security come into play when ensuring that Web applications start out securely and then stay secure.
The operating systems and Web server software must be continually checked to ensure that the latest patches are applied. Custom applications should be reviewed and verified for security before deployment. Best practices for password policies and other authentication should be used. Finally, comprehensive network security technologies, including firewall, intrusion prevention, and DDoS defense, should be key parts of the infrastructure in which the Web application server is deployed.
Best Practice #4. Protect DNS infrastructure
The Internet domain name system (DNS) is a distributed naming system that enables us to access the Internet by using names such as www.state.gov rather than more complicated IP addresses (e.g. 192.168.0.1) on which network infrastructure relies to route messages from one computer to another. Because it is distributed, many organizations use and maintain their own DNS servers to make their systems visible on the Internet.
Government organizations with voter and election responsibility should demand to see a DNS infrastructure protection plan from the agencies responsible for providing DNS services. DNS servers are often targeted by DDoS attacks because if the DNS operation can be interrupted by an attacker, all the victim's services may "disappear" from the Internet, causing the desired denial of service effect.
Preserving DNS operations involves many of the same steps as protecting other Web applications. The operating systems and DNS software must be continually checked to ensure that the latest patches are applied. Of course, secure network technology, including intrusion prevention and DDoS defense, should be deployed in the DNS infrastructure.
Mike Paquette serves as chief strategy officer of Corero Network Security, formerly Top Layer, where he is responsible for Corero's product portfolio, product management, and strategy. Mike has 27 years of computer networking and security experience with an extensive background in the design and development of networking products. He is co-author of a patent on DDoS protection.