For some odd reason, this came to mind on a recent weekend as a customer of ours came under a severe DDoS attack. A little background here will give you a feel as to why:
We got a call for help to quickly install our DDoS service from a customer who was under a severe DDoS attack. They needed the service installed on Sunday so they could be ready for business Monday morning. I forwarded the note to our team and on Sunday morning they began to mobilize in order to install the service and begin scrubbing the customer’s traffic.
I happened to be getting on an early morning flight and when we landed six hours later, I could not believe what I saw in my inbox. There were no less than 40 emails with at least 20 people on the threads posing questions about configurations, routing, locations, addresses, test plans, decision ownership, who could say go/no go… you get the picture. With a great deal of quick work by our team in cooperation with our customer, we were able to implement a solution by Sunday night!
These sorts of events can easily strain an attacked organization at a time of intense pressure. Uncertainty about how the network is configured, where the affected routers are located and who has decision-making authority regarding solutions within the organization can be significant obstacles to implementing a quick solution. Even the most technically savvy organizations can struggle when their critical systems have been disabled by an attack. I’m proud to say our team at Level 3 can and does help our customers through these difficult times.
The victim in the weekend attack was a large global company with significant technical resources and they did have a plan in place should the unthinkable occur. Proof enough that it’s quite impossible to plan for everything and, like both Michaels said, on game day, sometimes plans change.
I asked our CISO at Level 3, Dale Drew, what he sees as the top three things an enterprise should do to plan for a DDoS attack and he shared the following:
Understand your attack surface.
- It is important to know what your public application profile looks like; what IP addresses you own and what applications are accessible on those IP addresses. Ask yourself how susceptible your public applications are to a DDoS attack, whether it’s volumetric or an attack that’s specifically focused on the application layer.
- Knowing what can be attacked, and how, gives you the tools to plan your response to a DDoS attack should it occur.
Call your ISP.
- Your internet service provider is probably best equipped to help you prepare for a DDoS attack. Contact your ISP’s Security Operations Center (SOC) and review what response processes and capabilities they have to help detect, prevent and mitigate a DDoS attack.
Be prepared to offer a sacrificial lamb.
- In the event you cannot effectively stop a DDoS attack against your network/system, be prepared to move that attacked system to another network to ensure your main network and infrastructure is protected.
I like how Dale laid this out. It’s simple, actionable and it also allows you to begin to plan for the unexpected. But I would add one more action item to this list: if you don’t have a plan in place, get one fast. If you do, don’t count on the plan alone. Then, like any good team: practice, practice and practice some more. And practice, in this case, should include simulations at all hours of the day and week. That way when the day does come – and it will – you have a better chance of survival.
I am delighted our customer was up and operating securely late on Sunday, in time for business Monday morning. In sharing this with you, I am hopeful that should you have a similar experience, your outcome is just as positive, and you might be able to avoid some of the anxiety that can come with these situations.
Find out more about Level 3’s approach to network security.