US agencies release updated guide on defending against DDoS attacks for critical infrastructure organizations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published Thursday an updated joint guide that covers specific needs and challenges faced by organizations in defending against DDoS attacks. 

Titled ‘Understanding and Responding to Distributed Denial-Of-Service Attacks,’ the document provides critical infrastructure organizations with detailed insights into three different types of DDoS (distributed denial-of-service) techniques, including volumetric attacks aiming to consume available bandwidth; protocol attacks that exploit vulnerabilities in network protocols; and application attacks targeting vulnerabilities in specific applications or running services. 

The categories are, however, not mutually exclusive, and malicious hackers can combine multiple techniques to launch sophisticated DoS and DDoS attacks. Furthermore, new attack methods and variations constantly emerge as malicious actors adapt and evolve their tactics, techniques and procedures (TTPs).

The volume-based attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic. The goal is to saturate the network or exhaust the target’s resources, rendering it unable to handle legitimate requests. 

The protocol-based DDoS attacks exploit network protocol or service vulnerabilities to disrupt the target. By focusing on weak protocol implementations, the malicious actor can degrade the target’s performance or cause it to malfunction. Protocol-based DDoS attacks typically target Layers 3 (network layer) and 4 (transport layer) of the Open Systems Interconnection (OSI) model.

Lastly, the application layer-based attacks target vulnerabilities in specific applications or services running on the target system. Instead of overwhelming the network or system resources, application layer attacks exploit weaknesses in the targeted application, consuming its processing power or causing it to malfunction. Application-based DDoS attacks target Layer 7, the application layer, of the OSI model.

Recognizing that DDoS attacks typically stem from multiple coordinated sources, makes them challenging to trace and block, especially the attacking IP addresses. Each machine in the botnet simultaneously inundated the target system with a flood of traffic or requests, amplifying the subsequent impact. Defending against DDoS attacks poses greater difficulty due to their distributed nature than DoS attacks. 

“The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent,” the agencies detailed. “DDoS attacks can also employ various techniques, such as IP spoofing, which involves a malicious actor manipulating the source IP address and botnets to disguise the origin of the attack and make it more difficult to trace it back to them.”

The guide provides an overview of the denial-of-service (DoS) and DDoS landscapes, including attack types, motivations, and potential impacts on government operations, as well as practical steps on implementing preventative measures, and incident response for each of the defined DDoS and DoS technique types. Additionally, it highlights why it is important for organizations to focus their planning efforts on emerging DDoS trends and technologies to better defend against malicious DDoS activity. 

Identifying whether an organization is experiencing a DDoS attack can be challenging, as symptoms can vary depending on the attack type and intensity. The typical list covers website or service unavailability, network congestion, unusual traffic patterns, server or application crashes, high resource utilization, inability to access other network services, anomalies in user behavior, a flood of spam or malicious emails, notifications from DDoS protection service, and communication disruptions.

While the timing of a DDoS attack is unpredictable for any organization, malicious actors frequently exploit security vulnerabilities to initiate such attacks. Hence, network defenders within an organization must adhere to best practices to mitigate the impact of a potential DDoS attack. Organizations need to conduct thorough and proactive risk assessments to determine the organization’s vulnerability to DDoS attacks. They must also implement network monitoring, regularly analyze network traffic to establish a baseline of normal traffic patterns, and implement a captcha to help differentiate between human users and automated bots, which helps prevent DDoS attacks.

They must also develop a comprehensive incident response plan that outlines the steps to be taken in the event of a DDoS attack, consider employing the services of a DDoS mitigation provider, evaluate current bandwidth capacity, and consider increasing it to handle sudden spikes in traffic during an attack. 

Organizations can also implement load-balancing solutions to distribute traffic across multiple servers or data centers, configure firewalls to filter out suspicious traffic patterns and/or block traffic from known malicious IP addresses, and regularly update and patch all software, operating systems, and network devices to address known vulnerabilities, as vulnerable systems can be exploited to amplify the impact of a DDoS attack.

Organizations experiencing a DDoS attack must initiate incident response plans, contact a DDoS protection service provider (if applicable), and engage with network security teams to mitigate the attack and restore normal operations. 

They must recognize the signs of a DDoS attack, such as a sudden surge in traffic, increased network latency, or unavailability of services, implement the organization’s documented and approved incident response plan immediately, and document and collect as much information as possible about the attack, including timestamps, IP addresses, packet captures, and any logs or alerts generated by network infrastructure. 

Organizations must also configure network infrastructure, firewalls, or intrusion prevention systems to filter out malicious traffic, enable DDoS mitigation services, scale up bandwidth and resources, and enable Content Delivery Network (CDN) to help mitigate DDoS attacks by absorbing and distributing traffic, minimizing the impact on organizational infrastructure. 

They must also maintain clear and regular communication with key stakeholders, including employees, customers, partners, and vendors. After the situation is resolved, conduct a thorough post-incident analysis to understand the attack vectors, vulnerabilities exposed, and lessons learned. The move will help update the incident response plan and security measures accordingly to prevent future attacks. 

In case the organization has suffered a DDoS attack, it can take several important steps to recover and mitigate any potential damages. These include assessing the impact of the DDoS attack on the systems, networks, and services. Restore affected services and systems to normal operations, and perform a post-incident analysis to understand characteristics, vulnerabilities exploited, and attack vectors used. 

They must also implement remediation measures, review security controls, and update incident response plans to incorporate lessons learned from the DDoS attack. Additionally, organizations must provide training and awareness programs for employees to educate them about DDoS attacks, their impact, and how to recognize and report suspicious activities. They must strengthen network monitoring capabilities to detect and respond to future DDoS attacks, and engage with law enforcement agencies if the DDoS attack was severe or involved criminal activity. 

Organizations must review backup and disaster recovery processes to ensure they are robust and up to date, and regularly backup critical data and test the restoration process to verify its efficacy. As DDoS attacks are constantly evolving, it is essential to continuously improve security posture. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.