Understanding and Defending Against Distributed Denial of Service Attacks

Picture this scenario: your local government begins to receive calls from people who cannot access their online utility accounts, others call saying your website is slow to load, your 911 service and computer-aided dispatch report having issues, and finally, staff across all departments report being unable to access the email. What is going on? It may be that your agency is being hit with a Distributed-Denial-of-Service (DDoS) attack, similar to what happened to the Belgium government in 2021 or Minneapolis, MN, in 2020. Malicious actors use DDoS attacks to overwhelm an agency’s network and prevent its users from accessing services.

A 2021 Radware study highlighted a 1,800% surge in government-targeted DDoS attacks when compared to data from 2020. While many of these attacks were mitigated, the successful attacks were severe. Investing in DDoS mitigation is growing in importance as government leaders embrace digitalization and cloud computing to address mission needs. Understanding this threat matters because it can impact the availability of services delivered to state and local partners, as well as constituents.

Why Does It Matter?

By restricting users from accessing your network (including websites, online accounts, email, etc.) these attacks can:

• Be costly to identify and fix,
• Lead to a drop in employee productivity, and
• Damage agency credibility with the public.

A DDoS attack can paralyze an organization’s mission-critical applications. To understand what that might mean for your local government, consider what are the internet- or cloud-based applications that your agency relies on to manage its daily operations? These can all be jeopardized in a DDoS attack.

DoS vs DDoS

The best way to understand DDoS is to discuss ways it compares to a Denial-of-Service (DoS) attack. DDoS attacks are more challenging to detect, are faster to happen, uses a higher volume of traffic, and complicates source tracking.

More challenging to detect and mitigate

DoS attacks originate from a single computer rigged via a script or malicious software to send hundreds or thousands of connection requests to a server, preventing its connection to other systems. DoS mitigation options include blocking the malicious traffic or designing ways to manage that traffic. However, the use of multiple compromised computers in a DDoS attack increases the volume of traffic hitting servers, as well as the impact of the attack. This also makes traffic blocking techniques impractical.

Increased speed of attack

DDoS attacks employ a network of compromised computers, aka “botnet,” coordinated by a command-and-control program. Centralized control enables fast deployment of compromised smartphones, tablets, and other Internet-connected computing devices to assail a single target. In contrast, DoS attacks take longer to deploy because the attacker needs to install scripts or malware on a computing device.

Uses a high volume of traffic

A DDoS attacks allows an adversary to overwhelm an agency’s IT systems (including websites and cloud-based applications) with massive amounts of Internet traffic from various locations, making it difficult to detect and block. A DoS attack is easier to block given its single-source nature.

Complicates source tracing

Attackers can deploy decoys within a DDoS botnet (network of compromised computers) to hide the active devices generating malicious traffic.

Types of DDoS Attacks

The DDoS attack variants that exist as of this writing fall into the three categories below. Consider the availability of your mission-critical services and which of these attacks would have the greatest impact on your ability to deliver services to your communities.

Volumetric attacks

These attacks overwhelm network capacity with high volumes of malicious traffic. Internet-based services (e.g., online accounts, email, etc.) are the primary target for these attacks.

Protocol attacks

Protocol attacks exploit weaknesses in Internet traffic protocols. One example is Border Gateway Protocol (BGP) hijacking. The intent of BGP is to enable a network router to choose the most efficient option for connecting with other networks. BGP hijacking allows an attacker to reroute traffic to systems of their choosing.

Application attacks

While volumetric attacks attempt to overwhelm systems with traffic and protocol attacks attempt to manipulate that traffic, application attacks attempt to exploit application vulnerabilities to open connections and initiate processes to consume resources in the application hosting environment.

Protecting Against DDoS attacks

You now understand what DDoS attacks are and the impact they can have. You understand the three types of attacks an adversary can employ to disrupt your mission. How can you frustrate that effort? Below are three DDoS prevention tips:

1. Perform a risk assessment: Assess your Internet-facing systems to determine which would impact your mission negatively if compromised by a DDoS attack. This will help scope your future DDoS protection investments.
2. Document and track what normal traffic looks like: Do you know what kind of traffic your web applications receive, when, and for how long? The ability to identify unusual network traffic patterns is among the best way to identify DDoS attacks. Know what is normal for your environment.
3. Invest in DDoS protection: Use the results of your risk assessment to research DDoS protection options. This may include hardware, software, or managed-service solutions. The Cybersecurity & Infrastructure Security Agency (CISA) has a DDoS Quick Guide detailing DDoS attack methods and mitigation options.

The best preparation against the actions of bad actors is to understand your mission-critical systems and how to protect them. This will allow you to be resilient against these threats and to recover quickly if compromised.