New DDoS Attack Guidelines Released for Public Sector

To help minimize critical service disruptions, the United States Government has issued new DDoS attack guidelines for public sector companies. The document is intended to be a complete resource addressing the specific demands and issues that federal, state, and local government organizations confront while protecting against DDoS attacks. The advisory stated that DDoS attacks, in which numerous compromised computers deliver flooded traffic or requests to targeted systems, rendering them inaccessible to the users, are difficult to identify and prevent. DDoS is regularly employed by politically motivated threat operators, including nation-state groups and breach groups, who frequently target government websites. Since the Kremlin invaded Ukraine in February 2022, Russian and Ukrainian threat operators have routinely used DDoS to attack opposing government websites. The United Kingdom’s Royal Family official website was taken offline in October 2023 by a DDoS incident, in which the Russian breach group, Killnet, claimed responsibility for the attack. According to recent research, DDoS attacks have grown more powerful and are utilized as extortion tactics by threat actors.

3 Kinds of DDoS Attacks

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing Center (MS-ISAC) issued a joint advisory outlining three kinds of DDoS attacks that public sector companies should be prepared for:

1. Volume-Based Attacks – The attacks are trying to deplete the targets’ available bandwidth or system resources by overwhelming it with enormous amounts of traffic.
2. Protocol-Based Attacks – The threat operators focus on weak protocol implementations, degrading the targets’ performance or causing them to malfunction.
3. Application Layer-Based Attacks – The attacks exploit vulnerabilities in specific applications or services running on target systems, draining its processing power, or causing it to malfunction.

Preventing DDoS Incidents

The advisory emphasized that even though it’s hard to foresee when DDoS attacks will occur, there are procedures that may be taken to reduce the likelihood of companies being targeted. This includes:

• Conduct risk assessments to discover any vulnerabilities in networks’ infrastructure that could be exploited by DDoS threat operators.
• Implement strong network monitoring and detection tools to immediately identify abnormal traffic patterns.
• Integrate a Captcha challenge to distinguish between humans and automated bots.
• Setting up firewalls to screen out unusual traffic patterns and/or block traffic from known malicious IP addresses.
• Patch and update all software, operating systems, and network devices regularly.
• Employees should be educated on DDoS attacks, and how to identify and report suspicious activities.

Responding and Recovering from DDoS

The advisory emphasized the importance of implementing measures to ensure service availability during DDoS attacks. This includes:

• Increase the bandwidth capacity to manage abrupt traffic spikes during the attacks.
• Use load-balancing technologies to divide traffic among numerous servers or data centers.
• Set up redundancy and failover methods to divert traffic to alternative resources.
• Back up vital data regularly allowing quick recovery and reducing potential data loss.

Additionally, the United States government recommended public sector companies create a comprehensive incident response plan outlining what procedures should be performed in case of any DDoS attack. These plans should include:

• Inform internet service providers or hosting providers about the attacks. They may be able to help limit its impact.
• Ensure all stakeholders, including internal teams, customers, and third-party service providers, are informed during the incidents.
• Use content delivery network (CDN) services to distribute content across numerous global servers and data centers.
• Document as much information about the attacks, including timestamps, IP addresses, and any logs or alerts. It will help with the post-incident analysis and reporting to law enforcement about the incidents.
• Learn from the attacks by performing post-event studies, and adjust the incident response plans and security measures accordingly.

The release of the new DDoS attack guidelines by the US government marks a significant step forward in fortifying cybersecurity defenses for organizations and individuals alike. By adopting the recommended strategies, entities can bolster their resilience against DDoS attacks, mitigating potential disruptions and protecting critical systems. Proactive planning, collaboration with ISPs, and the utilization of advanced security tools are essential to combat this growing cyber threat effectively. Through collective efforts, we can create a safer digital landscape, ensuring the uninterrupted functioning of our online infrastructure. At SpearTip, we have solutions to meet your specific needs. Advisory services and risk engineering provide a proactive approach to understanding your network vulnerabilities, ShadowSpear provides constant eyes on the glass to respond to active threats, and Incident Response helps your organization get back into a fully operational state following a cyberattack. Our tabletops will help your organization determine maturity in responding to a breach. We take real-world threats and apply them to your current exercises to ensure no single points of failure. Web application vulnerability assessments examine how an organization leverages its current technology. The team reviews application and operating system access controls, analyzes physical access to systems, and concludes with detailed recommendations to maintain compliance.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.