3. Organizations need to tune the firewall to handle large connection rates.
The firewall will also be an important piece of networking equipment during DDoS attacks. Administrators should adjust their firewall settings in order to recognize and handle volumetric and application layer attacks. And, depending on the capabilities of the firewall, protections can also be activated to block DDoS packets and improve firewall performance while under attack.
4. Develop a methodology, or a strategy, to protect applications from DDoS attacks.
Secure technologies can provide robust protections to DDoS activities. But administrators should also think about tuning their web servers, modifying their load balancing and content delivery strategies to ensure the best possible uptime. Also relevant to such efforts are the incorporation of safeguards against multiple log-in attempts. Another interesting approach is to block machine-led, automated activities by including web pages with offer details, such as opportunities for interest rate reduction or information on new products, so that users much click on "accept" or "no thanks" buttons in order to continue deeper into website content. Additionally, content analysis is important. Such efforts can be as simple as ensuring there are no large PDF files hosted on high-value servers.
The above methods are crucial to any DDoS mitigation strategy. Organizations must also reach out to service providers and ISPs and work with them to identify novel mitigation techniques. ISPs must be involved in mitigation strategies. DDoS attacks use the same Internet as bank customers, and the ISPs carry both forms of traffic.
Of increasing importance is the need to investigate and implement intelligence gathering and distribution strategies. Such efforts should investigate data within company networks and expand to include other companies that operate in the financial services industry.
Getting more information about who the actor is, motivations behind the attack and methods used, helps administrators anticipate and proactively architect around those attacks. Attack profile information can range from the protocols used in the attack (SYN, DNS, HTTP), the sources of attack packets, the command and control networks, and the times of day during which attacks began and ended. While valuable in mitigating attacks, there is no easy way to communicate this data, and regulatory hurdles make it even more difficult to share attack information.
Right now, information-sharing consists of friends talking to friends. Information sharing needs to evolve into an automated system where organizations can log in to a solution and see correlated and raw log data that provide clues into attacks that have ended and that are in progress. Such systems could also be used to share attack intelligence and distribute protections. An industry information-sharing capability would help elevate financial services companies' abilities to cope with DDoS activity and bring the industry as a whole to a new level of preparedness.
Avi Rembaum is director of 3D consulting and Daniel Wiley is a senior security consultant at Check Point Software Technologies.