A trio of U.S. government agencies recently teamed up to publish updated guidance on distributed denial-of-service (DDoS) attacks targeting public sector entities, with the goal of protecting critical services from disruption.

DDoS attacks are a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming it with a flood of internet traffic from multiple sources. These sources can include compromised computers, known as bots, that are part of a larger network, or botnet, controlled by the attacker. The goal of a DDoS attack is to render the target inaccessible to its intended users, causing downtime and potentially financial losses.

The joint guidance resulted from a collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The guidance aims to provide a comprehensive resource tailored to meet the distinct requirements and challenges encountered by federal, state and local government agencies in their defense against DDoS attacks.

The guidance lists three main types of DDoS attacks that public sector entities must be prepared for:

• Volume-Based Attacks — These attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic.
• Protocol-Based Attacks — These attacks exploit vulnerabilities in network protocols or services to disrupt the target. By focusing on weak protocol implementations, the malicious actor can degrade the target’s performance or cause it to malfunction.
• Application Layer-Based Attacks — These attacks target vulnerabilities in specific applications or services running on the target system. Instead of overwhelming the network or system resources, application layer attacks exploit weaknesses in the targeted application, consuming its processing power or causing it to malfunction.

The advisory stresses the unpredictability of DDoS attacks, but highlighted proactive measures that can be implemented to minimize the likelihood of an attack. Among them: 

• Risk Assessment — Conduct a thorough and proactive risk assessment to determine the organization’s vulnerability to DDoS attacks. 
• Network Monitoring — Implement robust network monitoring tools and intrusion detection systems (IDS) to identify any unusual or suspicious traffic patterns. 
• Traffic Analysis — Regularly analyze network traffic to establish a baseline of normal traffic patterns. This helps identify any significant deviations during an attack.
• Implement Captcha  — Incorporating a Captcha challenge into a website or online service assists in distinguishing between human users and automated bots, thereby bolstering defenses against DDoS attacks.
• Firewall Configuration — Configure firewalls to filter out suspicious traffic patterns and/or block traffic from known malicious IP addresses. Keep the firewall rules updated and consider implementing rate limitations to prevent overwhelming traffic.

The guidance emphasized the importance of putting in place measures to maintain service availability during a DDoS attack. Planning ahead to establish extra bandwidth capacity or to adopt services that can spread traffic among servers can help prevent systems from being overwhelmed when attackers trigger a surge. Failover mechanisms that send traffic to redundant network infrastructure can mean that even if a system does get overwhelmed, services remain online.

Entities suffering DDoS attacks should reach out to Internet service providers (ISPs) that may be able to help by redirecting traffic. Providers can also enact port and packet size filtering or block IP addresses determined to be malicious, although one caveat is that many DDoS attacks are launched from legitimate public servers.

And creating critical data backups, along with practicing recovering from them, can help organizations bounce back, the guidance said. Entities should also use attacks as an opportunity to learn. Analyzing the incident after the fact can help inform an organization on how to update security postures and incident response plans for stronger future performance. 

Any details collected about the attacks — such as logs, identified malicious IP addresses and timestamps — can be shared with law enforcement to help them pursue perpetrators.

Authors of the joint guidance urge victims to promptly report DDoS incidents to a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870. State, local, tribal, and territorial government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).