The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning organizations to take proactive steps to reduce the impact of distributed denial-of-service (DDoS) attacks.
DDoS attacks can be cheap to create but disruptive, so it could be worthwhile for network defenders to take a look at CISA's and the FBI's guidance as a backup to what they likely already know about the attacks, which can overload networks, protocols, and applications.
DDoS attacks use networks of compromised internet-connected devices to overwhelm targets with junk traffic. In the past, attackers have abused Network Time Protocol, Memcached and other protocols to amplify DDoS attacks.
"A DoS attack is categorized as a distributed denial-of-service (DDoS) attack when the overloading traffic originates from more than one attacking machine operating in concert. DDoS attackers often leverage a botnet—a group of hijacked internet-connected devices—to carry out large-scale attacks that appear, from the targeted entity's perspective, to come from many different attackers," CISA says in its guidance.
CISA highlights that Internet of Things (IoT) devices are a notable source of DDoS problems, thanks to the use of default passwords and poor security from device makers. IoT devices, like standard home routers, are a problem because they lack a user interface, meaning users can't be informed on the device by the vendor when to apply a security patch. The White House this month proposed an IoT security-labeling scheme that will come into force in the Spring of 2023. The EU is also planning a CE-style labeling scheme for IoT devices.
"Because infections of IoT devices often go unnoticed by users, an attacker could easily assemble hundreds of thousands of these devices into a formidable botnet capable of conducting a high-volume attack," CISA notes.
CISA also emphasizes that DDoS attacks don't necessarily compromise the integrity or confidentiality of a system's data, it does attack the third pillar of cybersecurity: availability. And once availability is undermined, this in turn could open the door for attacks on confidentiality and integrity that are protected by systems that depend on availability.
"Because a cyber threat actor may use a DDoS attack to divert attention away from more malicious acts they are carrying out—e.g., malware insertion or data exfiltration—victims should stay on guard to other possible compromises throughout a DDoS response. Victims should not become so focused on defending against a DDoS attack that they ignore other security monitoring," the agencies note.
While enterprise organizations can buy DDoS protection from internet infrastructure firms, there are other basic steps organizations should take, such as configuring web application firewalls and understanding how users connect to a network – for example, whether they connect via a virtual private network (VPN), which became much more prevalent during the pandemic.
CISA also recommends companies design and review high-value assets to remove dependence on a single node and ensure they're using multiple nodes. It also recommends colocation of these critical assets for business continuity. The best method, argues CISA, is to upstream service provider defenses or DDoS protections in a local datacenter.
From an organizational perspective, DDoS response should be part of an organization's disaster recovery plan, which should include knowing what alternatives are available if a critical app has been knocked out.
CISA's guide is intended for federal civilian executive branch (FCEB) agencies and not for private industry. Google, Akamai and Cloudflare contributed to the advisory, which was published alongside the US government's Multi-State Information Sharing and Analysis Center (MS-ISAC).