Distributed denials of service (DDoS) attacks have returned to the headlines in recent weeks, with successful attacks launched against both international bank HSBC and the enormously popular smartphone app Pokémon GO.
DDoS attacks are occasionally pushed to the background in cybersecurity discussions: they’re not as sophisticated as advanced malware or ransomware attacks, and are sometimes viewed as a kind of brute-force digital vandalism – problematic, but an inconvenience rather than a critical issue.
However, we believe this attitude is a mistake. DDoS attacks can be enormously dangerous. A website or other online service that’s unavailable can cause direct revenue losses immediately, while the longer-term reputational damage from having a website that is seen as weak can be even more damaging. What’s more, once a DDoS attack is underway and services are down, the vast majority of IT security resource is understandably directed towards trying to bring them back online. It’s the perfect opportunity for clever cybercriminals to attempt something more insidious, while the DDoS attack itself is automatically managed by huge botnets.
It is vital, therefore, that DDoS prevention is as central a part of your wider IT security strategy as firewalls and other perimeter protections, antivirus and so on.
How should you achieve this? First, you should ensure that basic principles of DDoS mitigation, including bandwidth management, appropriate load balancing and intelligent network segmentation, are built into your infrastructure as standard. These are straightforward ways of minimising the impact of a DDoS attack should it occur, and potentially preventing it from actually downing your network. All these measures are built into our Next Generation Firewall solutions as standard.
Second, you should think about GeoIP blocking. This works on the simple principle that a vast amount of the IP addresses and websites your organization connects to – a majority of them, in fact – should not be touching your organization at all. Perhaps they are geographic areas or specific countries where your organization does no business, and is unlikely to ever do so. Perhaps they are known bad IP addresses that distribute malware, are the source of phishing attacks, have been hijacked for malicious purposes – or, of course, are controlling the botnets that launch DDoS attacks.
So rather than allowing traffic from these unnecessary sources and running the risk of DDoS attacks (and plenty more besides), why not automatically block it at the outset? Essentially, GeoIP blocking allows you to pinpoint exactly where on the internet a DDoS attack is being launched from, and then to automatically block all traffic from those specific IP addresses or regions, until the attack has passed over. It offers a kind of perimeter protection against DDoS attacks, preventing them from actually hitting your network.
With GeoIP blocking in place, if a DDoS attack begins, you can immediately analyse where the traffic is coming from and form a strategy for mitigating the attack. This might be best placed in your security gateways, or it might involve communicating with your ISP to stop the attack closer to its origin. Either way, the power is back in your hands.