DDoS Extortion Attacks Are on the Rise: Are You Prepared
Distributed Denial of Service (DDoS) extortion campaigns, also called DDoS ransom attacks or RDDoS attacks, have risen so sharply in the last few months that the FBI has issued a warning to US companies.
These attacks come from the out of the blue. They’re typically announced by a ransom note like this one, received by one of our clients, that threatens a massive and crippling DDoS attack unless your organization sends the perpetrators a large amount in cyber currency by a specified deadline.
What to do if you get a DDoS extortion threat. First, don’t pay it. Paying identifies you as a target worth pursuing and invites future attacks, despite the attackers’ promises to leave you alone if you pay them off. The FBI recommends reporting any attack to their nearest field office, as the information you can provide may help identify the attackers and ultimately hold them accountable,
Next, contact your DDoS mitigation provider and share the details of the threat you received. While some of these extortionists do not actually follow through with an attack, you need to be prepared to weather one if it materializes. Your DDoS partner will be better able to help you do that if they are forewarned.
If you don’t already have an explicit DDoS mitigation strategy, now is the time to develop one. If and when you’re hit with an RDDoS threat, you don’t want to be scrambling to put together a defense that can handle it. Here’s a step-by-step outline of how to create an effective strategy that will see you through any threat or actual attack you may receive.
Step 1: Assess your risks and your tolerance.
Start by identifying all your online assets that are at risk in the event of a DDoS attack and where they reside: in the cloud, in a data center, with a service provider, and so on.
Review your list, considering whether you need to protect everything to ensure your organization can continue to function. Outages may be acceptable for some assets or resources – a marketing microsite, for example, if not indefinitely at least for a period of time – and that will affect the protection solutions you pursue and how you configure them. In evaluating acceptable risks, don’t overlook the possibility of collateral damage to assets that share infrastructure with other potential targets, particularly high-value targets.
Step 2: Evaluate available solutions to defend your assets.
You have multiple options to protect your assets against a DDoS attack. The optimal solution for your organization is dictated by the assets you need to protect, your tolerance for downtime, and the IT resources available.
- DDoS protection via your ISP or cloud service provider could be an option, particularly if your assets are not extensive. It’s usually simple to implement since you already have a business relationship with the provider. Bear in mind, however, that they are not DDoS specialists and are not likely to offer the same level of protection, expertise and customizability as a specialist.
- A DDoS mitigation service is a better choice if your enterprise has a larger network – particularly if it spans multiple ISPs or cloud providers – or if you have a low tolerance for downtime. Carrier-agnostic, cloud-based providers can ensure assets are protected regardless of where they are housed or hosted, while also providing more expertise to meet complex operational requirements. However, these are generally off-the-shelf solutions, and while they are designed to provide strong protection for most scenarios, they cannot accommodate every network configuration.
- A fully managed cloud DDoS platform is the best choice if you have a more complex and extensive infrastructure or digital assets, limited in-house IT expertise and resources to monitor traffic and manage any required mitigations, or if your expert team is simply stretched a little thin. Managed services are more flexible and customizable to protect even the most complex and specialized networks. They also have their own SOC to monitor your traffic and assets 24/7, lightening the load on your team without compromising protection.
Step 3: Consider mitigation strategies and requirements.
In addition to identifying the best type of DDoS protection, you’ll need to consider the specific capabilities that will best match your network configuration and operational needs, which in turn will help focus your search for a qualified provider.
- BGP swing or DNS swing to divert traffic? A BGP (border gateway protocol) mitigation strategy is a better choice for protecting an entire data center or a network where you control a full IP subnet. For cloud-hosted assets and web-only resources when you don’t control at least one subnet, your provider will need to employ a DNS (domain name system) swing to safely shift attack traffic. Not all DDoS specialists offer both strategies.
- Always-on or on-demand service? Always-on protection means traffic is always routed through your DDoS mitigation provider’s platform – resulting in a faster response to any attack and greater peace of mind from constantly available protection.
With on-demand protection, you can either notify your provider that an attack is underway, or set a traffic threshold to trigger mitigation automatically. Since detection and implementation takes some amount of time (as long as a few minutes), your assets can still be exposed for a time. On the plus side, on-demand protection is generally less expensive.
Note: Many providers allow you to create a customized mix of always-on and on-demand solutions based on prefix, allowing you to benefit from the strengths of each approach
Step 4: Choose a DDOS partner and plan your protection.
With your needs clearly defined, you now have objective criteria to evaluate DDoS mitigation providers and select a partner(s) to provide the protections you have identified as crucial to your operational needs.
As you evaluate providers against your specific needs, don’t overlook the importance of their core capabilities such as the capacity and geographic reach of their mitigation network; protection for volumetric, protocol and application layer attacks; the availability of complimentary solutions; and strong service level agreements. Neustar UltraDDoS Protect checks all these boxes, while also offering a wide range of flexible options to tailor your protection,
Once you have a provider in place, make sure to share basic information about your assets and your “peacetime” traffic to help them understand your needs and configure your protections to reliably protect your network. Be prepared to provide information on:
- Total inbound traffic under normal circumstances
- Any predictable cyclic variations in traffic volume – daily, weekly, monthly
- Scope of your IP address space
- Ports, protocols and applications running in each subnet
Now is also the time to create a run book for each of your critical assets, detailing the required protection and allowable downtime, if any.
Step 5: Keep your plan and your provider up to date.
An effective DDoS protection strategy is not a set-it-and-forget-it proposition, any more than your network assets are. Devices and configurations change constantly. Your DDoS mitigation plan has to keep up with them.
Plan to conduct service reviews with your provider(s) and key IT team members at least every quarter, and to test your protection on the same schedule. If your network and applications change frequently, you made need to conduct reviews and tests more frequently.
Ensuring your DDoS partners are informed on the current status of your assets, configurations and business needs will help them do a better job in providing the protection you need – and making sure it’s there when you need it.
If you receive a threat now, you’re ready. As noted above, share the specifics of the threat with your DDoS mitigation provider(s) to make sure they’re ready, too. Since they live and breathe DDoS attacks, they may well be familiar with the threat you received through industry reports or even through one of their other customers.
Most RDDoS extortion notes threaten an attack if you fail to respond by a particular day. When that day comes:
- Ask your provider(s) to place your assets under pre-emptive mitigation. Even though threatened attacks don’t always occur, you want to be ready if one does.
- Establish clear and open communication with your provider(s). Many will open an active bridge with their operations team for the entire day to streamline access and ensure effective communications.
- Monitor the performance and availability of your assets. Visibility into your traffic will help gauge the size and impact of an attack; an external synthetic monitor can provide an outside-in view of your network.
Even if the appointed day passes without an attack, it’s a good idea to remain vigilant for a few days afterwards, just to be safe.
An RDDoS threat is no laughing matter. But with a mitigation strategy in place and a cooperative relationship with a top-tier provider, it doesn’t have to paralyze your assets or your organization.
If you have questions or concerns about your capacity to mitigate DDoS attacks of any size, or would simply like to discuss your security concerns with a knowledgeable professional, take a moment to request an email contact from one of our security experts.