The U.S. government has issued new guidance on distributed denial of service (DDoS) attacks for public sector entities to help prevent disruption to critical services.
The document is designed to serve as a comprehensive resource to address the specific needs and challenges facing federal, state, and local government agencies in defending against DDoS attacks.
The advisory states that DDoS attacks, in which a multitude of compromised computers send a flood of traffic or requests to the target system to make it unavailable to its users, are difficult to trace and block.
This vector is commonly used by politically motivated attackers, including hacktivists and state groups, with government websites often targeted.
For example, Russian And Related to Ukraine Hackers have frequently attacked opposing government websites using DDoS since the Kremlin invaded the country in February 2022.
In October 2023, the official website of the Royal Family of the United Kingdom was taken offline by a DDoS incident, the attack was claimed by the Russian hacktivist group Killnet.
Recent research showed that DDoS attacks have become more powerful and are sometimes used as extortion method by threatening actors.
Three types of DDoS attacks
THE joint advice from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have highlighted three main types of DDoS attacks that entities in the public sector must prepare. :
- Volume-based attacks. These attacks aim to consume the target’s available bandwidth or system resources by overwhelming them with a massive volume of traffic.
- Protocol-based attacks. This is where attackers focus on weak protocol implementations to degrade the target’s performance or cause a malfunction.
- Application layer-based attacks. These attacks target vulnerabilities in specific applications or services running on the target system, consuming its processing power or causing it to malfunction.
How to prevent DDoS incidents
The advisory highlights that while it is impossible to predict when a DDoS attack will occur, there are steps you can take to reduce the chances of being hit. These include:
- Use risk assessments to identify potential vulnerabilities in your network infrastructure that could be exploited by DDoS attackers.
- Implement robust network monitoring tools and detection systems to quickly identify suspicious traffic patterns
- Integrate a Captcha challenge to differentiate humans from automated robots
- Configure your firewalls to filter suspicious traffic patterns and/or block traffic from known malicious IP addresses.
- Regularly patch and update all software, operating systems and network devices
- Educate employees about DDoS attacks and how to recognize and report suspicious activity.
How to respond and recover from a DDoS
The advisory highlights the importance of putting measures in place to maintain service availability during a DDoS attack. These include:
- Consider increasing your bandwidth capacity to handle sudden traffic spikes during an attack.
- Implement load balancing solutions to distribute traffic across multiple servers or data centers
- Establish redundancy and failover mechanisms to redirect traffic to alternative resources
- Back up critical data regularly to enable rapid recovery and minimize potential data loss
The US government has also urged public sector entities to develop a comprehensive incident response plan that outlines what actions to take in the event of a DDoS attack. These plans should include:
- Inform ISPs or hosting providers of the attack, as they may be able to help mitigate the impact.
- Keep all stakeholders informed during an incident, including internal teams, customers and third-party service providers
- Use a content delivery network (CDN) service to geographically distribute content across multiple servers and data centers
- Document as much information about the attack as possible, including timestamps, IP addresses, and logs or alerts. This can facilitate post-incident analysis and reporting of the incident to law enforcement.
- Learn from the attack through post-incident analysis and update your incident response plan and security measures accordingly.