How to ensure effective response when IoT-era DDoS hits

Distributed denial of service (DDoS) attacks hit a slew of major online service providers worldwide, including Singapore-based telco StarHub, recently.

On October 22 and 24, StarHub’s Domain Name Servers (DNS) came under DDoS attacks that slowed web connections for some of its home broadband customers. Strikingly, customers’ internet-connected devices, which were compromised without the owners’ knowledge, were used to launch the attacks.

On both occasions, StarHub mitigated the attacks – described by officials as “unprecedented in scale, nature and complexity” – by filtering unwanted traffic and increasing its DNS capacity, and restored service within two hours.

The incidents at StarHub came just days after two massive and complex DDoS attacks on US-based internet infrastructure company Dyn that crippled some of the world’s most popular websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Pinterest and Paypal. The attacks commanded hundreds of thousands of compromised devices like cameras, baby monitors and home routers to flood Dyn’s managed DNS infrastructure worldwide with traffic. Some reports claim the magnitude of attack to be in the 1.2 Tbps range.

Although Dyn officials could not verify that claim, they had observed TCP attack volume from a few of the company’s data centers indicating “packet flow bursts 40 to 50 times higher than normal”. Still, some attack traffic never reached Dyn due to mitigation efforts by the company and its upstream providers.

These incidents certainly highlight the urgent need for enterprises and IT industry players to address vulnerabilities in the Internet of Things (IoT), where many connected devices were not designed with security in mind. These unprotected devices will be the Achilles heel that offer cybercriminals unauthorized access to sensitive data and the means to launch large-scale malicious activities.

Proper response plan

The key lesson to be learned here is that businesses must establish a response plan before an attack hits.

A holistic cyber-attack response plan is required for organizations to limit damage, increase the confidence of external stakeholders, and reduce recovery time and costs in a cybersecurity incident. Such a plan should also establish relationships with third parties, such as law-enforcement agencies and breach-remediation and forensics experts to provide critical assistance.

Industry consultants and agencies such as McKinsey & Company and the US National Institute of Standards and Technology recommend response plans that encompass:

  • Standardized definitions of incidents to facilitate sharing of security intelligence and internal communications

  • Classification of internal data and their criticality to ensure appropriate response efforts and activities

  • Set performance targets in, for instance, assessing the extent of damage and identifying threat actors

  • Response-team operating models specifying team structures, individual roles and responsibilities, escalation processes and war-room protocols aligned with specific incidents and data being targeted

  • Continuous improvement of the response plan, including post-incident documentation of incident details, actions taken and lessons learned

Real-time expert monitoring

Supporting such as response plan, F5 Networks has introduced preemptive security capabilities that automatically mitigate Layers 4-7 attacks, including volumetric DDoS attacks, upstream in the ISP realm before they reach an organization’s data center.

The F5 DDoS Hybrid Defender, for example, combines multilayered DDoS defense across network, session, and application layers to intelligently integrate offsite cloud-based scrubbing, where volumetric attack traffic can be redirected seamlessly. To weed out illegitimate requests to keep operations and sites running smoothly, this approach uses behavioral analysis to identify and mitigate attacks, machine-learning to detect evasive threats or traffic anomalies, and powerful automation capabilities to boost efficiency.

Like the F5 DDoS Hybrid Defender, the F5 Silverline hybrid security services are also supported by the F5 Security Operations Center (SOC), which mitigated a DDoS attack that peaked at 448 Gbps early this year. The Silverline DDoS Protection filters the traffic directed at a customer’s site for legitimate user data and passes the clean traffic on to the customer’s servers; illegitimate attack traffic are dissipated at the scrubbing center.

The SOC’s 24-by-7 global monitoring and research produce threat intelligence feeds on the latest bots or bad IP addresses that empower F5’s on-premise, virtual and cloud-managed solutions.

When a security incident occurs, the F5’s well equipped and resourced SOC employs a combination of static and dynamic malware analysis methods to understand how malware was installed and run; how it behaves when executed; who it communicates to and what information is shared; and what components are installed and how they operate. The detailed analyses provide organizations with post-incident insights to improve their cybersecurity response plans.

“A security approach that centers around protecting the network and the devices that are connected to it is no longer enough,” says Emmanuel Bonnassie, senior vice president of Asia Pacific at F5 Networks. “Applications and access to those apps are becoming the new perimeter, protecting them and having the ability to detect breaches and respond quickly defines the future state of security.”

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.