Distributed Denial of Service or DDoS is an attack where there is an attempt to render an online service unavailable by overwhelming it with traffic from multiple distributed sources.
The National Cyber Security Centre (NCSC) is a pivotal organization in cyber security advice and supports the most critical organizations in the UK, the wider public sector, industry, SMEs and the general public. When incidents occur, they provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future. So what does the NCSC advise in relation to preparing for DoS/DDoS attacks?
The National Cyber Security Centre (NCSC) advises that it is not possible to fully eliminate the risk that a denial of service attacks may be successful, but it does offer some practical steps so you can be prepared:
1. Understand your service the points where resources can be exhausted, and whether you, or a supplier, are responsible for them.
2. Ensure your service providers are prepared to deal with overloading of their resources.
3. Ensure your service can scale to deal with surges in use.
4. Have a denial of service response plan in place that includes graceful degradation of your service.
5. Monitor for denial of service attacks and test your ability to respond.
Whilst all of these elements are important, we feel one of the most significant ones here is the ‘test your ability to respond’. You might have bought the best defenses money can buy and have a comprehensive plan in place, but if you haven’t tested that these tools work it will all be for nothing. As the NCSC states:
“Thinking you are well prepared to defend against denial of service attacks is not the same as knowing. There could be bottlenecks in your service you hadn’t anticipated, and you would not have foreseen with a paper-based review alone. It’s better to test your ability to defend an attack, and to have some knowledge of the types and volume of attacks you are able to defend. Consider testing your ability to defend both network layer and application layer attacks.”
So, let’s now take a look at what we think is best practice for DDoS Testing:
Best Practice DDoS Testing
Scoping/Planning – First and foremost it is key to understand the purpose for testing, whether you are testing your mitigation provider or you may want to understand how the people in your organization respond to an inbound attack. It is also key to identify a time to conduct the test where the effects to your business would be minimal, if you are testing a website this could be done late at night when the traffic is at a minimum to reduce any issues that could potentially arise from the test. It is then a case of identifying the parameters for the test itself, this can be done by documenting your networks and defining clear targets for the test.
Technical Scoping – After you have identified the type of test you would like to conduct; you should work with the testing provider to ensure the service you have chosen will give you the most value and findings. Testing providers may have tested against the mitigation you currently use so having a deep dive into technical recommendations can always be valuable. At this stage a testing plan should be created so you know exactly what will be happening for the duration of the testing cycle.
Testing – This is the stage when the test itself is conducted based on the recommendations that had been previously agreed and documented in a testing plan. This should be done in a controlled environment potentially with key staff members on a conference bridge to discuss the findings with the traffic that is being sent to your infrastructure. This then also gives you the ability to stop the test usually within 15 seconds should any services start to fall.
Post-test Analysis – This stage would be provided in a report from your testing provider. This would identify and explain the findings from the test. This is your opportunity to make configuration changes to your mitigation to ensure your protection is utilized. It is also a time where you may want to evaluate the response from your staff internally, depending on how they reacted to the test.
It is important to understand these steps and then be able to test your efficiency at dealing with an attack through DDoS testing. Understanding the level of mitigation cover you have, configuring the mitigation solution properly and to test the people in your organization to see how they respond to such attacks. Ask yourself the question “do we have a process in place when an attack happens?”. Regular DDoS testing can ensure that you meet these requirements.