The US government has published new distributed denial-of-service (DDoS) attack guidance for public sector entities to help prevent disruption to critical services.
The document is designed to serve as a comprehensive resource to address the specific needs and challenges faced by federal, state and local government agencies in defending against DDoS attacks.
The advisory noted that DDoS attacks, where a multitude of compromised computers send a flood of traffic or requests to the target system to render it unavailable to its users, are difficult to trace and block.
This vector is commonly used by politically motivated attackers, including hacktivists and nation-state groups, with government websites often targeted.
For example, Russian and Ukraine-linked hackers have frequently hit opposing government websites using DDoS since the Kremlin’s invasion of the country in February 2022.
In October 2023, the official website of the UK’s Royal Family was taken offline by a DDoS incident, the attack was claimed by Russian hacktivist group Killnet.
Recent research has shown that DDoS attacks have become more powerful and are sometimes used as an extortion method by threat actors.
Three Types of DDoS Attacks
The joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlighted three main types of DDoS attacks public sector entities must be prepared for:
- Volume-based attacks. These attacks aim to consume the available bandwidth or system resources of the target by overwhelming it with a massive volume of traffic
- Protocol-based attacks. This is where the attackers focus on weak protocol implementations to degrade the target’s performance or cause it to malfunction
- Application layer-based attacks. These attacks target vulnerabilities in specific applications or services running on the target system, consuming its processing power or causing it to malfunction
How to Prevent DDoS Incidents
The advisory emphasized that while it is impossible to predict when a DDoS will occur, there are steps that can be taken to reduce the chances of being hit. These include:
- Use risk assessments to identify potential vulnerabilities in your network infrastructure that may be exploited by DDoS attackers
- Implement robust network monitoring tools and detection systems to quickly identify suspicious traffic patterns
- Integrate a Captcha challenge to differentiate between humans and automated bots
- Configure your firewalls to filter out suspicious traffic patterns and/or block traffic from known malicious IP addresses
- Regularly patch and update all software, operating systems and network devices
- Educate employees about DDoS attacks, and how to recognize and report suspicious activities.
How to Respond and Recover from DDoS
The advisory emphasized the important of putting in place measures to maintain service availability during a DDoS attack. These include:
- Consider increasing your bandwidth capacity to handle sudden spikes in traffic during an attack
- Implement load balancing solutions to distribute traffic across multiple servers or data centers
- Establish redundancy and failover mechanisms to redirect traffic to alternative resources
- Regularly back up critical data to enable fast recovery and minimize potential data loss
The US government also urged public sector entities to develop a comprehensive incident response plan that sets out the steps that should be taken in the event of a DDoS attack. These plans should encompass:
- Notify internet service providers or hosting providers about the attack, as they may be able to help mitigate the impact
- Keep all stakeholders informed during an incident, including internal teams, customers and third-party service providers
- Utilize a content delivery network (CDN) service to distribute content across multiple servers and data centers geographically
- Document as much information as possible about the attack, including timestamps, IP addresses and any logs or alerts. This can help the post-incident analysis and reporting the incident to law enforcement
- Learn from the attack via a post-incident analysis and update your incident response plan and security measures accordingly