In my last post about creating a DDoS incident response action plan, I quoted analyst Linda Musthaler listing the signs of a DDoS attack. In that article she also discussed several things you should do to mitigate an attack, including the need to include procedures for DDoS mitigation in your “business continuity/disaster recovery” plans.
I brought up this point to Steve Snyder, technical marketing manager at StorageCraft. He paused for a moment and then chuckled. “She says you need to do this, but she doesn’t tell you how to do it!”
Steve also pointed out that disaster recovery is just a subset of business continuity, something I (and Linda and so many others) tend to forget. Disaster recovery is just one aspect of business continuity.
What is business continuity?
Business continuity addresses how a business can continue to function during any failure event, large or small, and asks questions like: what happens if you lose 80% of your staff to the flu (N1H1 is making its rounds again, after all)? How will you function then? How do your customers continue to do business with you during that type of event? What other types of event might affect your staff and ability to continue doing business? A good BC plan will look at critical departments and their processes while developing strategies that will outline how each of those departments will continue to function during a crisis. Certainly the event can be IT related, but business continuity also addresses other issues everywhere from pandemic crisis all the way to riots and acts of God.
Steve added a few examples of critical departments and processes, such as business financing, HR policies and employee management, ISP and phone service providers, legal contracts and compliance – in other words, the entire business organism.
If only you could use magic…
DDoS attacks are tough to combat because it’s extremely difficult to differentiate between good and bad traffic. Philosophically it’s akin to the problem Steve had when playing the trading card game Magic the Gathering when he was younger. He had collected some very rare cards over the years, and he took them to an event. At one point, two kids were on either side of him looking at his cards, and each kept reaching in to look at his collection of cards. Steve couldn’t watch both of them at the same time, and at the end of the day several of his best cards were missing.
Steve said (while I cried silently in the background – kids can be so mean!): \
What they had essentially done was a DoS (Denial of Service) attack because I considered each of their requests or questions to be legitimate, and I couldn’t discern that the reason for the request was some other motive. Trying to answer both at the same time, switching back and forth, and kept me from doing what I should have been doing, which would be holding on to my assets.
Simple DoS attacks are fairly easy to stop, according to Steve. You can just tell your edge router to ignore anything from a given range of IP addresses. But what about those DDoS attacks that can marshal thousands of zombie computers using multiple modes of attack?
Steve said no easy answers exist because these attacks are at once complex and yet are impossible to respond to using the sort of human intelligence ideally needed to analyze the problem. “You’ve got to have some way of getting around this when the packet flood overloads your system or bogs it down,” Steve says.
Treating DDoS like a pandemic
Steve says you can do a few things right off the bat to limit DDoS attacks. The most obvious one is just dropping IP packets from areas where you don’t do business, such as China or Estonia.
Otherwise Steve recommends viewing DDoS attacks as a potential pandemic that has the potential to take down your business – without shutting your door and preventing you from doing any business, of course. For example, the WHO (World Health Organization) has various contingency plans to limit and mitigate the risk of contracting or spreading the Ebola virus.
Many of these plans will dovetail into plans you already have in place to stop things like viruses and ransomware on the IT side and plans you have to keep your business going should the majority of your employees come down with next year’s flu.
The most important thing, however, is treating DDoS as something that’s part of the risk of doing business and responding in a brave, clear-eyed fashion.
Photo credit: Kyle Geese via Wikimedia