DDoS Threat Mitigation Profile
Distributed Denial of Service (DDoS) attacks are increasing in complexity, size, and frequency. The range of targets and methods (e.g., from using traditional devices such as PCs and laptops, to using connected Internet of Things (IoT) devices) has also broadened. Enterprises wishing to mitigate the impact of future DDoS attacks and reduce the likelihood that internal devices are incorporated into botnets to attack other enterprises, find comprehensive guidelines are not readily available today. Larger enterprises are forced to devote significant financial and personnel resources to identifying, procuring and deploying appropriate mitigation mechanisms. Smaller businesses often lack the expertise or cannot afford to divert those resources to developing an anti-DDoS strategy. Comprehensive solutions are complex, and often require a combination of locally managed and external commercial services, so communicating organizational needs to service providers and vendors is critical.
The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) version 1.1, developed by the National Institute of Standards and Technology (NIST), with extensive private sector input, provides a risk-based and flexible approach to managing cybersecurity risk that incorporates industry standards and best practices. The Cybersecurity Framework is, by design, crafted to enable individual organizations to determine their own unique risks, tolerances, threats, and vulnerabilities, so that they may prioritize their resources to maximize effectiveness.
The Framework provides for broad applicability across a variety of industries, organizations, risk tolerances and regulatory environments and can be supplemented by the use of Profiles. As defined by the Framework, a Profile is the application of Framework components to a specific sector, threat, or organization. A Profile may be customized to suit specific implementation scenarios by applying the Framework Category and Sub-Categories appropriate to the circumstances. Profiles should be constructed to take into account the organization’s a) business/mission objectives; b) regulatory requirements; and c) operating environment.
Organizations can use Profiles to define a desired state for their cybersecurity posture based on their business objectives and use it to measure progress towards achieving this state. It provides organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may also be used by industry sectors to document best practices for protection against specific threats.
The DDoS Threat Mitigation Profile emphasizes how the Cybersecurity Framework can be leveraged to improve organizational defenses and responses to DDoS attacks. For this Profile, Cybersecurity Framework Categories and Subcategories were identified that are most important to combating DDoS threats. To further enhance the Profile, Priorities and Framework Comments have been added. The Categories and Subcategories are labeled with different priorities used to protect network and services against relevant attacks:
P1 – Highest Priority Subcategories
P2 – Secondary Priority Subcategories
P3 – Tertiary Priority Subcategories
Organizations should seek to implement all the identified Subcategories but when resources do not allow for doing so, implementing the P1 Subcategories will provide a strong foundation.
The DDoS Threat Mitigation Profile represents a Target Profile focused on the desired state of organizational cybersecurity in order to mitigate DDoS threats. Enterprises that wish to enhance the resilience of their networks against DDoS attacks can significantly benefit from utilizing the DDoS Threat Mitigation Profile.
The intent of this Profile is to provide guidance to enterprises and establish a common language for discussions regarding DDoS mitigation mechanisms with product vendors, ISPs, and other infrastructure providers. The Profile may be used to help enterprises identify opportunities to improve DDoS threat mitigation and aid in cybersecurity prioritization by comparing their current state with the desired target state. Importantly, this Profile does not directly address what organizations should do to prevent their assets from becoming part of a Botnet and potentially part of a DDoS attack on another organization. Doing so requires a set of Subcategories that are best captured in a separate Profile.
Managing cybersecurity risk is an enterprise-wide activity and as such, this Profile is meant to be used by multiple parts of an organization. While information technology and security teams may have the ultimate responsibility for recommending, implementing, and maintaining technical security controls across the organization, risks extend well-beyond the technical aspects. As such, the intended audience for this Profile is any person or business unit that has a responsibility for, or may be impacted by, a DDoS attack. This should include legal and regulatory risk managers.
Information technology and security personnel can use the Profile to identify the types of technologies and services they will need to develop, implement and maintain an effective DDoS mitigation strategy.
Legal and regulatory personnel can use this Profile to align internal management of DDoS risk to external requirements and ensure that the organization is meeting those requirements.
Compliance teams can use this Profile to determine whether or not the organization has implemented the correct measures to protect against DDoS attacks.
Overview of the DDoS Threat
A DDoS attack attempts to overwhelm a network, service or application with traffic from multiple sources. There are many methods for carrying out DDoS attacks. These can include:
Low bandwidth connection-oriented attacks designed to initiate and keep many connections open on the victim exhausting its available resources.
High bandwidth volumetric attacks that exhaust available network or resource bandwidth.
Protocol oriented attacks that take advantages of stateful network protocols such as TCP.
Application layer attacks designed to overwhelm some aspect of an application or service.
Although each of these methods can be highly effective, in recent years, there has been considerable attention given to volumetric attacks as the result of several high-profile incidents. One prominent example of a volumetric DDoS attack vector is reflection amplification. This is a type of DDoS attack in which the attacker fakes the attack target’s IP address and launches queries from this address to open services on the Internet to solicit a response. The services used in this methodology are typically selected such that the size of the response to the initial query is many times (x100s) larger than the query itself. The response is returned to the real owner of the faked IP, hence the term “reflection”. This attack vector allows attackers to generate huge volumes of attack traffic, while making it difficult for the target to determine the original sources of that traffic. Reflection amplification has been responsible for some of the largest DDoS attacks seen on the Internet through the last decade.
DDoS is often referred to as a ‘weaponized’ threat, given that technical skills are no longer needed to launch an attack. In fact, services to conduct DDoS attacks have proliferated and become easily obtainable for relatively low cost. Attackers can build out their attack capability in many ways, such as the use of malware to infect Internet connected devices, deploying servers within hosting environments, exploiting program flaws or other vulnerabilities, and by exploiting the use of inadequate access controls on Internet connected devices to create botnets. The United States continues to be the most frequent target of DDoS attacks and infected hosts within the US public and private infrastructure are most frequently leveraged as the source of DDoS attacks. Availability is a core information security pillar but the operational responsibility and discipline for assessing and mitigating availability-based threats such as DDoS often falls to network operations or application owners in addition to Risk and Information Security teams. Because of this divided responsibility, fissures in both risk assessment and operational procedures for addressing these threats may occur. The goal of this Profile is to ensure the strategic and operational discipline needed to protect and respond to DDoS threats is comprehensively addressed by applying the appropriate recommendations and best practices outlined in the Cybersecurity Framework.
How to Use the Profile
It’s important to recognize that the Framework is designed to be implemented in a comprehensive manner. That is, it should be integrated into overall risk management policies, procedures, and programs across the entire organization. That means that risk owners and managers have to make decisions around what Categories and Subcategories will apply enterprise-wide, as well as which will apply for specific business units. Additionally, because certain Subcategories have legal and regulatory implications, it is imperative that legal counsel be consulted as part of implementing this Profile. Finally, as will all security programs, senior leadership should be aware of what is being done and authorize activities, either directly or via standing policy or delegation.
Let’s consider an example of how implementing one specific Subcategory looks in practice.
The Framework Core Subcategory ID.AM-1 says “Physical devices and systems within the organization are inventoried.” The relative importance of this Subcategory is predicated on the widely-accepted idea that you can’t properly defend what you don’t know about. The challenge often manifests with what many call “shadow IT,” or devices that have been connected to the enterprise network without the knowledge or approval of the security and operations teams. As a result, those devices may not be properly protected by the security mechanisms the organization has put into place, which in turn introduces potential risk. The nature of that risk can depend on how and where the devices are connected. An unauthorized device connected to the HR system that holds all the employee data may introduce greater risk than one connected to a hotel lobby computer for guest use that has been properly segmented. Nevertheless, risk is introduced and if that device isn’t identified, then appropriate mitigations are likely not in place.
When viewed in this context, ID.AM-1 is critical to the entire enterprise and should be applied as such. Returning to DDoS Mitigation Profile, ID.AM-1 takes on a more specific context.
Generally speaking, DDoS is only a threat to systems that are Internet facing. This typically includes websites, application servers, and gateway routers. In that context, ID.AM-1 becomes specifically about those kinds of devices and implementing the Profile means ensuring that these devices have been fully inventoried, as part of the overall enterprise identification and inventorying of devices.
This same patterns holds true for the other Subcategories presented in the Profile. In other words, the Profile should be implemented in the context of the broader enterprise risk management, not as a standalone approach.
This Profile enables organizations to take the Framework and focus on one major threat, which aids in allocating resources and measuring and reporting on how well DDoS is being mitigated for the systems under threat.
From here, how organizations use the Profile will vary based on certain factors including:
Understanding of the threat and its potential impact to the organization;
Available financial, personnel, and knowledge resources;
Maturity of cybersecurity risk management programs and procedures; and
How the organizations will measure results.
First and foremost, organizations need to have a good understanding of what the DDoS threat means to them. Assessing the real risk means thinking through how services being unavailable would impact business operations. It might mean loss of revenue when customers can’t reach your ecommerce site. Or it could mean that critical business partners are unable to connect to application interfaces essential for sharing information. Regardless, without fully understanding the risk, it is difficult to determine what resources need to be applied.
Armed with that understanding, the risk then has to be considered in the context of what resources are available. This will vary widely from one organization to the next, and may be especially impactful to small and medium sized businesses. This is where the Priorities can be of help. Start by implementing as many P1 Subcategories as possible, and work your way from there, based on the risk as it evolves.
The current maturity of an organization’s existing cybersecurity policies, procedures and programs makes a difference. If basic, fundamental cybersecurity risk management hasn’t been implemented, or is ad hoc, implementing mitigations against DDoS attacks in an effective and efficient manner will be challenging.
Finally, once DDoS mitigation mechanisms have been put into place, it is important to ensure that organizational processes are implemented for the ongoing monitoring and reporting on results. This should include:
The number of attempted DDoS attacks and to what degree the mitigations were or were not successful; and
Period review of new DDoS mitigation technologies and services to ensure the most effective mechanisms are in place, informed by risk.
Within the high level guidelines presented in this section and throughout the document, each organization will ultimately find their own way in which to make use of the Profile. This is the intent and wholly consistent with the use of the Cybersecurity Framework overall.
The following Informative References were considered in the development of the Profile:
NIST SP 800-44 Version 2 – Guidelines on Securing Public Web Servers - September 2007
NIST SP 800-53 Rev. 4 - Security and Privacy Controls for Federal Information Systems and Organizations – April 2013
IETF BCP 38 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing – May 2000
IETF BCP 84 - Ingress Filtering for Multihomed Networks – March 2004
IETF RFC 4732 - Internet Denial-of-Service Considerations – November 2006
IETF RFC 4778 - Current Operational Security Practices in Internet Service Provider Environments – January 2007
IETF RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)- August 2009