On the morning of Oct. 21, internet users awoke to a terrifying prospect: a large amount of popular websites and business tools were completely inaccessible.
As users clamored to start the workday without significant internet access, it became clear the problem was the result of hackers launching a massive distributed denial of service (DDoS) attack on Dyn, Inc., a major Domain Name Server host that helps route traffic across the internet. Gizmodo reported a slew of websites and applications that were impacted by the hack, including:
- Squarespace Customer Sites
- Zoho CRM
In DDoS attacks, hackers repeatedly test their target's security to ensure their assault achieves the highest amount of damage. The attack starts by exploiting one vulnerability, then spreads via malware, gradually shutting down network systems and rendering websites inoperable.
Large-scale attacks like this have real financial implications for businesses and individuals all over the world; businesses don't only risk lost traffic and sales, but are unable to access vital tools that they use in their everyday operations. Although Dyn was able to restore normal service quickly, it might not be as simple for small businesses with fewer resources. Here's what you need to know to protect your small business against DDoS attacks.
Assume you're a target, no matter how small you are
Since the only DDoS attacks we hear about are those against large corporations, banks and the government, many SMBs don’t think they will ever be the target of digital warfare. Consequently, they don’t take the necessary precautions to prevent or mitigate attacks.
The reason for an attack could be anything, said Vann Abernethy, field CTO at NSFOCUS, a provider of DDoS mitigation solutions. It could be an extortion attempt, a protest against company practices, or even an act of revenge by a disgruntled client or ex-employee. Unarmed with any technical knowledge, anyone with checkbook and a grudge or statement to make can launch an attack.
"Everybody that has a measurable ROI associated with their web presence or anybody that can feel pain from their website being down is a target," Abernethy said.
Abernethy advised businesses to always read the fine print and see what their web host's policies are regarding DDoS attacks. While some say they will protect you, most have consumer-grade security that is not strong enough to defend your website against high-volume attacks.
Determine your security needs
Small businesses have two choices when it comes to DDoS security, said Brian Laing, SVP of corporate development, products and strategic alliances at network security platform Lastline, Inc.
"The first is to use cloud-based applications which can more easily scale up to handle any DDoS attacks. The second option would be to implement a DDoS solution that can protect against both application and bandwidth (packet flooding) attacks," Laing said.
Before implementing any type of DDoS defender, SMBs should investigate exactly what type of solution a vendor is providing, according to Laing. For instance, the defense mechanism should be able to recognize good traffic from bad, while also having a self-learning capability to be able to set flexible thresholds.
Abernethy agrees: "We see thousands and thousands of attacks every day, so we have both detection and mitigation algorithms. They basically say, 'That looks like an attack, it smells like an attack, let’s engage our mitigation algorithms.' It looks at the attack traffic itself and then says, 'Yes, that is an attack.' We can detect those attacks and the system can be set up to go into automatic mitigation."
What SMBs need, Abernethy says, is a purpose-built DDoS defender with both detection and mitigation functions to quickly diagnose and mitigate DDoS attacks. The system should also be a "learning machine" that gets to know your environment over time for more precise detection.
Have a recovery plan in place
SMBs should also keep in mind that defending oneself from DDoS attacks doesn’t stop at prevention and mitigation. Because a DDoS attack shuts down your entire operation — and because most anti-DDoS protections are primarily concerned with simply knocking the attack down — you should have a recovery plan that either you or your providers facilitate.
Pierluigi Stella, chief technology officer of Network Box USA, global managed security services provider, says that fending off an attack boils down to strategy and having the right resources for defense.
"The real problem, though, is that defense is not a piece of hardware but a strategy, wherein the hardware plays an important role, but isn't the only player," Stella said.
First, if your bandwidth is an old T1 at 1.5 Mbps, Stella advises businesses to upgrade that old Internet connection to one with a much larger bandwidth that can’t be taken down so quickly.
A Disaster Recovery (DR) site should also be part of your recovery plan, Stella said. The DR site should have all your data, so it will serve as your temporary site as you work on getting the current one back up.
Ryan Huber, a security expert at Slack Technologies, Inc., says that depending on your business, a simpler option is a static page, such as product literature or other representation of your site. This will temporarily disable site functions such as online ordering, but serves its damage-control purpose of not keeping customers in the dark as you get the full site running.
"This has the added benefit of helping you to keep users informed during the attack," he said.
Abernethy recommends that anyone who does business online do regular, full backups. The recovery plan should also include critical details, such as what the recovery process is, where data backups are stored and who is responsible for which tasks. Disaster-recovery planning should also be part of regular operational maintenance.
"Don't just make a plan and think you are covered," Abernethy said. "Get into the habit of reviewing the full plan each backup cycle to ensure any changes are accounted for. It sounds like a lot of extra work, but it really isn't if you build it into your normal routine."
As Stella says, businesses should always be in "prepared" mode: "Don't wait for the hurricane to strike."
Additional reporting by Adam C. Uzialko. Some source interviews were conducted for a previous version of this article.