ComputerWorld has posted an article recently on a subject that I haven’t heard a lot about for the last year. It seems a Dutch bank was the victim of a malicious Distributed Denial of Service (DDoS) attack. I say malicious, as there have been instances where a bank was accidentally hit with a traffic flood due to misconfiguration of a common tool, and even some spotty attacks that were quickly detected and avoided. But nothing that I can recall recently where a brazen attack was aimed squarely at a bank, and took them off the map for a couple of days. Apparently, the Dutch Government has been detecting similar attacks on their networks.
In my work with the Canadian Financial Institution Computer Incident Response Team (CFI-CIRT), I examined and reported on DDoS avoidance and response practices on behalf of the Canadian banking community. Not a lot had changed from the last time that I had looked at DDoS protection mechanisms several years prior. The solutions were just as expensive, just as finicky, and just as hard to justify to management without a direct attack to show losses against. Your choices seemed to be (pick any 3):
- Over provision your bandwidth.
- Keep a second provider as a disaster recovery / incident response alternate.
- Add an appliance or three to your architecture to examine and scrub the data stream.
- Subscribe to a third-party service that filters the data stream.
- Subscribe to a third-party service that provides redundant routes to the nth degree.
- Convince your ISP to provide filtering services on demand as part of your incident response plan.
- Build an internal response plan that engages the right folks to escalate the response externally.
Has anyone looked into DDoS solutions lately? Have there been any improvements in the choices and offerings available to large and small businesses?