Preventing DoS attacks: The best ways to defend the enterprise

Denial-of-service attacks -- intentional attempts to compromise the availability of network servers, devices, applications and even internet access -- are a growing form of cyberattack, according to Verizon's "2016 Data Breach Investigations Report."

With nearly 10,000 reported incidents over the survey period, a denial-of-service (DoS) attack proved to be one of the most visible ways malicious actors wreaked havoc on enterprise networks. Many people don't realize this until they end up on the receiving end of such an attack.

This is especially true for distributed denial-of-service (DDoS) attacks, which use a large number of bots (computers that have been infected by command-and-control malware) to launch a massive number of requests for enterprise network and application services. Attacks launching hundreds of gigabytes of attack volume per second at victims' networks and systems first became common by 2014.

Many people misunderstand how their existing security controls can help prevent DoS attacks. Providers of DoS attack response services may claim certain capabilities, but, the reality is, we never know how things are going to stand up to a DoS attack until it actually happens. So how do enterprises prepare? There is no single answer, but there are several things IT and security teams can do to minimize the risk, including:

• Minimize the attack surface. This provides tremendous benefits for preventing DoS attacks because attacker's hits on unneeded systems are completely avoidable. Any given enterprise has unnecessary systems and services exposed to the internet. These may be business partner or vendor connections that are used minimally, if at all, or applications that are being phased out or that could otherwise be protected by VPN or private WAN connections. A firewall rule base analysis can provide great insight into what's needed and what can go.
• Find -- and fix -- known vulnerabilities that can facilitate denial-of-service attacks. Many internet-accessible systems and applications are under-protected. This includes traditional systems, as well as newer devices that are part of the internet of things. Such flaws usually come in the form of missing firmware and software updates on perimeter systems, such as routers and firewalls, as well as on server operating systems and web server and application software. Again, this is completely preventable. Yet, in so many situations in my work, I come across internet-facing systems that have numerous unpatched DoS-related flaws.
• Use a next-generation firewall, load balancer or a DoS protection appliance. A near-ideal solution is to use a cloud-based DoS protection service. Many enterprises rely on such vendors to offload DoS traffic when the going gets rough. Just be sure to vet these companies and choose a solution in advance. They're super easy to set up, but you don't want to have to scramble and do that in the middle of an attack. You may also want to contact your internet and cloud service providers in advance to see how they can help.
• Know what's normal on your network. Today's networks are evolving into massive centers of complexity and unknowns. Can you honestly say that you know what's coming and going across your network ingress/egress points? Most people either don't have that level of visibility or they simply cannot keep up due to the number of systems and the volume of network traffic. Ingress filtering, for example, is a valuable technique for preventing DoS attacks.
• Make a plan. A common oversight related to preventing DoS attacks is a lack of formal, documented incident response plans. It's rare for me to come across such a document, even in larger enterprises. A well-written incident response plan will address denial-of-service attacks and provide general guidance on who needs to be called, specific steps that need to be taken to minimize the impact of such an attack and how to clean up and move forward afterwards.

Keep in mind that moving to the cloud or outsourcing defense duties is not going to eliminate the risks or absolve the business of the responsibilities related to preventing DoS attacks. There have been many well-known denial-of-service attacks against some of the most popular and seemingly resilient cloud service platforms. Just because these vendors are big doesn't mean they can't be affected.

I worked on one such project where a client was hosting a handful of high-traffic websites for its enterprise customers. One particular webpage had an open proxy vulnerability that was resolved a few years prior. However, it apparently remained on some online open proxy lists, and it was still being targeted. This page was receiving over 20,000 requests per minute, which not only prevented the website from being accessible, it also crippled part of the cloud service provider's environment, which was unexpected, and quite the letdown for my client.

One final thing to keep in mind is that not all DoS attacks are intentional. Denial of service can come in the form of vulnerability scanning and penetration testing, as well as server, network infrastructure device and general system misconfigurations.

There are a lot of moving parts involved with DoS protection and response. The most important thing you can do regarding DoS attacks is to think about them and do something in advance. You need a plan. You need the proper technologies providing visibility and control to help identify the type of DoS attack and to determine the appropriate response. These will allow you to minimize your risks to a reasonable level, so that attackers can't just launch DoS attacks with little to no effort. It will also help you to respond in a quicker -- and more professional -- way, instead of simply trying to wing it once an attack begins.