Clavister Blog Staff

Lessons from the Liberian DDoS attack

In Blog post by Clavister Blog Staff

A massive DDoS attack has compelled the Liberian authorities to request assistance from the UK and the US in securing the country’s IT infrastructure.  While the attack did not take down the country’s entire Web access, nor affect the African Coast to Europe (ACE) submarine fibre cable which links Liberia to the wider internet as some initial media reports suggested, it did bring down the country’s Lonestar MTN internet service provider, which is responsible for about 60% of the country’s network.  What’s more, the outage lasted for around two weeks – far too long for individuals and businesses alike.

The source of the attack has not been confirmed, but suspicions abound that it harnessed the Mirai botnet, which uses a zombie network of compromised devices such as internet-connected digital CCTV cameras. Named after the Japanese word for ‘the future’, the Mirai botnet has been responsible for some of the world’s most damaging DDoS attacks, including the recent takedown of Brian Krebs’ blog.

Botnet-powered DDoS attacks are a huge threat to business continuity, not because they are particularly insidious or sophisticated in themselves, but because of their sheer scale. The DDoS attack on Brian Krebs’ website was the largest recorded DDoS attack in history. And as more and more connected devices join the Internet of Things (IoT), there are more and more potential devices and machines for cybercriminals to recruit into botnet armies.  They don’t need to stick to laptop and desktop computers. As the Mirai botnet underlines, even very simple devices can become part of an extremely damaging DDoS machine.

The good news is that, just as botnets themselves can be composed of relatively simple devices, so too can an effective DDoS mitigation strategy be composed of relatively simple tools and techniques. By ensuring, for example, that your network is properly segmented and incorporates basic load balancing tools, and by considering packet scrubbing services to reduce traffic volumes, you can significantly improve your DDoS readiness – and these are basic practices of good network architecture anyway.

More proactively still, you can get closer to the actual source of DDoS attacks, by considering the simple yet highly effective strategy of GeoIP blocking.  This works on the principle that once cybercriminals have compromised an IP address, whether to distribute spam or malware, to launch phishing attacks or, in this case, to build a botnet and launch DDoS attacks, that IP address is very unlikely, further down the line, to become benign. In other words, once it is compromised, it should be blocked permanently from connecting to your network.

On a related note, there are likely to be whole geographical regions from which your business need never accept internet traffic, because you do not do business there, and are unlikely to do so.  If those regions also happen to be responsible for a high proportion of cyberattacks, then that’s a doubly-strong reason to automatically block all traffic originating from there.

GeoIP blocking allows you to block this known malicious or unnecessary traffic at the outset – but, furthermore, if a DDoS attack on your organization begins, it allows you to identify precisely where on the internet it is originating from, and to block traffic from those specific IP addresses or regions, until the attack has passed. It’s like an absorbent shield, taking the impact of DDoS attack seamlessly and enabling you to carry on with normal operations.  And it’s a feature of our next-generation firewalls.

It also allows you to form a strategy for how to proactively respond to the attack, whether in your own security gateways or in conjunction with your ISP, asking for help to stop the attack closer to its source.

As the IoT grows, the scale of DDoS attacks is likely to grow too. Proactive organizations should get ahead of the game now, and implement simple steps that can mitigate the impact of these exploits.