We've entered a new era in network performance security. This year saw the emergence of the largest distributed denial of service (DDoS) attack of all time — over a terabyte of information per second. The discovery of the Mirai botnet, comprised of Internet of Things devices, and the recent discovery by security firm CloudFare of a major DDoS attack aimed at the U.S. West Coast, show that the problem is real, pervasive, and has consequences.
When you're victim to a DDoS attack, your business can lose in a number of ways. Let's dive into the consequences, then discover how your network manager might support in mitigatating network performance attacks.
Potential Consequences of Network Performance Failures
You already know that downtime is less than ideal for your business. Not only can you lose hours of productivity, but if you have any customer-facing assets or services, you can lose credibility and customers when your network is down. So perhaps the scariest thing about network performance attacks is that your daily business operations may not be extremely resilient to them.
"If you can't access the tools on your network, that could cause drastic financial consequences," says Jennifer Allen, Twinstate's Red Team manager. "You need to identify issues before you're brought to a standstill."
Downtime isn't the only risk of lacking network performance defense mechanisms. Depending on the type of attack, you could either experience a short delay due to a required device restart, or a degradation in backend data integrity. Certain attack types could cause your system to log bad data or allow an attacker the opportunity to corrupt data that already exists. Imagine, for example, you have a weblog running, and you get 100,000 fake requests for comments, explains Allen. Suddenly, not only is your network overwhelmed, but you have 100,000 bogus comments on your page. Sometimes the consequences are bigger than anticipated, and the amount of remediation required larger, too.
"The other concern, though, is that some types of attacks and vulnerabilities actually rely on denial of service attacks," Allen says. "If you experience a DDoS attack, and your IDS or IPS are effectively brought down due to activity — either the devices receive too much traffic to properly analyze it or the tables on the backend are consumed with data — that could open you up to a more serious, targeted attack against specific endpoints, ones that would be otherwise protected."
The more precise an attack appears to be, the more likely it is designed to bring down certain functionality in order to facilitate a more sophisticated attack. But you won't know about any of that without network performance defense mechanisms. So what can you do?
Getting Network Performance Defense in Place
The details of setting up network performance defense systems might be best left to professional consultants or a strong IT security team, if you have one in-house. But the concepts are something that everyone in leadership should understand.
At their most basic, network performance monitoring systems help you identify everyday issues and to recognize and reduce the effectiveness of a more serious attack. Click to tweet.
Here are a few key concepts to understand:
1. Identify a Baseline
Performance refers to a couple of things: the ability of endpoints to communicate with servers and with each other, and the throughput from and to the internet. Identifying performance issues correctly is dependent on you understanding your baseline. Discover what types of traffic are used every day and identify the highest consumers on your network. That way, if and when consumption jumps up on one endpoint that isn't typically high consumption, you can recognize the increased demand and decide whether or not to investigate.
2. Understand Attack Nature
An attacker may impact network performance intentionally or as collateral damage when they either abuse your existing network activities and protocols (which is why you need a baseline — to discover if it's being abused), or consume resources that exist on the network. It's much more difficult to identify the latter as an attack. A server might not recognize the request and therefore, drop the traffic, which means you won't see an interference indicating malicious activity in your log. That type of attack is often focused on DNS or other legitimate services, says Allen. Attackers will attempt to create impact by consuming valid resources or at least spoofing to appear valid for as long as possible.
Some attacks involve consuming resources on a given server when the server itself is being attacked to bring down services. This could either exploit a flaw in a running service or just send a massive amount of traffic requests. It's not as easy to identify unless you have baselines for every particular host or server. It can be very difficult to detect while just observing traffic spikes.
3. Find the Solution
You need not only a monitoring solution, but also DOS mitigation and egress and ingress filtering. These can be inexpensive and easy to launch, says Allen, so there's no reason not to get started.
Need more information on network performance defense? Contact our consultants today.
Originally published on 01/18/2017