Acknowledging the worsening DDoS problem, the United States government’s Cybersecurity and Infrastructure Security Agency (CISA) published an updated guidance document on understanding and responding to DDoS in March of 2024. The new document is a joint effort of CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI.
Indeed, Distributed Denial of Service (DDoS) attacks continue to be a serious threat not only for enterprises but also for government organizations. A recent report shows a 94% increase in DDoS incidents worldwide and a 196% rise for organizations in the Americas. Perpetrators of attacks are using new technologies and tactics to exploit vulnerabilities and overcome defences.
The Guidance Update
The update provides insights into the three main DDoS techniques, namely volumetric, protocol-based, and application-based attacks. Organizations are expected to thoroughly understand these techniques to respond to them efficiently.
Volumetric attacks aim to exhaust the bandwidth capacity and other resources of a website or web app. Protocol-based attacks target weak protocol implementations to impair performance or create malfunctions. Meanwhile, application layer attacks focus on the vulnerabilities of specific apps or web services that are running. The update details how these techniques work, along with some illustrations. Also, it emphasizes that attacks may combine two or more techniques. New attack methods and variations are constantly emerging, as threat actors make use of new technologies and strategies.
The document lists 15 steps to address DDoS attacks. These are as follows: risk assessment, network monitoring, traffic analysis, CAPTCHA implementation, having an incident response plan, using a DDoS mitigation service, bandwidth capacity planning, load balancing, proper firewall configuration, system patching and updating, web application security, implementing redundancy and failover mechanisms, employee awareness, communication planning, and having a regularly tested backup and recovery plan.
Moreover, the document provides insights on how to detect an ongoing DDoS attack, respond to a DDoS incident, and reduce the impact of an attack. These guides are designed to be comprehensive and easy to comprehend. They also emphasize the need to monitor trends and technologies related to DDoS attacks for organizations to build DDoS protection systems capable of detecting and blocking sophisticated attacks.
Potential Shortcomings
Following the US government’s DDoS protection guidance document is a good starting point for DDoS defence. However, it has its limitations.
For one, its guidance does not address the full spectrum of DDoS attack vectors, as it is essentially a general guide that helps organizations prepare for the possibility of getting hit by a DDoS attack. It also advises organizations to keep an eye on the latest DDoS attack trends. However, it does not provide specific information about new attacks to watch out for. It does not cite specific examples of sophisticated DDoS tactics and the most effective ways of dealing with them.
The DDoS guidance update jointly prepared by CISA, MS-ISAC, and the FBI can be likened to “best practices.” They serve as a crucial foundation for DDoS protection, but they are not enough to protect an organization against targeted attacks. Also, the guidance does not take into account the resource constraints and other challenges encountered by many organizations.
It may be difficult for some organizations to implement extensive network monitoring or subscribe to DDoS mitigation solutions. These realities are not reflected in the guidance document, making it inapplicable to some organizations.
Also, the guidance document is not mandatory. It does not force organizations to implement mechanisms or procedures to make them adequately prepared to address DDoS threats. The involvement of the government in addressing the DDoS problem is a welcome development in the cybersecurity space.
However, issuing a guidance document, which does not weigh an order or regulation, is similar to running an infomercial. It offers suggestions, but there is no guarantee of widespread adoption and the correct implementation of preventive mechanisms and mitigation plans.
A Better Approach
Let’s remember that DDoS attacks are illegal. Those found to be involved in the perpetration of such attacks can be prosecuted by the FBI and its international law enforcement partners. However, there are no laws or regulations that compel organizations to implement sufficient defences against DDoS. Instead of mere guidance, it would be arguably better for the US government to impose requirements for organizations in the private and public sectors to be reasonably prepared to prevent denial-of-service attacks and mitigate their impact.
Ideally, organizations should have a multi-layered approach to defending themselves from DDoS attacks. This entails investments in DDoS mitigation, including solutions for malicious traffic identification and filtering. Organizations should also put in place cyber resilience strategies. It should be unacceptable, especially for government websites, to become unavailable when they are crucial in the administration of public service.
Additionally, the government should establish a framework for mandatory collaboration between the private and public sectors to effectively address sophisticated DDoS attacks. ISPs, businesses, and government agencies should be required to promptly report DDoS incidents and to quickly develop coordinated responses. While most of the leading DDoS solutions at present are designed to have zero-day defence capabilities, it would be significantly faster and easier to detect threats if the threats are already identified, with the information about them rapidly shared with everyone who can become targets.
Governments have immense powers at their disposal, and they can use these to address persistent cyber threats. Some may find this idea a step in the wrong direction because it can lead to excessive government oversight or involvement in many private affairs. But desperate times call for desperate measures.
In Conclusion
The US government guidance on DDoS attacks is a welcome step as far as highlighting the seriousness of denial-of-service threats is concerned. However, its impact is quite limited. Providing suggestions and best practices has limited effects in addressing the threats.
Not many pay attention to these guidelines, let alone follow them religiously. It would be great to have governments partnering with industry associations, nonprofits, and cybersecurity institutions to come up with enforceable protocols, mechanisms, or procedures for dealing with DDoS and other forms of cyber threats.