Digital Attack Map December 25, 2014.jpg

“DDoS trends will include more attacks, the common use of multi-vector campaigns, the availability of booter services and low-cost DDoS campaigns that can take down a typical business or organization” - Q1 2015 State of the Internet Security Report


“Almost 40% of enterprises are completely or mostly unprepared for DDoS attacks”. - SANS Analyst Survey 2014



In Christmas 2014, Microsoft’s Xbox Live and Sony’s Playstation Network were hit by massive DDoS attacks by hacking group Lizard Squad. Xbox Live and Playstation Network were down for 24 hours and 2 days, respectively. Online gamers were not happy, I’m sure.


Earlier this year, GitHub, the largest public code repository in the world, was intermittently shut down for more than five days. The DDoS attacks were said to link to China’s “Great Cannon”.


We’ll never stop hearing new victims (or old ones) that are crippled by the distributed denial of service (DDoS). In fact, every new security report states record-breaking number of DDoS attacks compared to the previous one. The latest data shows that there is an increasing number of Simple Service Discovery Protocol (SSDP) attacks. I found this scary - any unsecured home-based device using Universal Plug and Play (UPnP) Protocol can be used for reflection attacks.


Did your company/organization suffer from DDoS?


How do your organization detect DDoS threats?


What DDoS mitigations do your organization implement?




Studies found that majority of the DDoS attacks were volumetric attacks at the the infrastructure layer. Firewalls, IPS/IDS, NGFW, IP reputation service, should be deployed in the defense-in-depth manner not only to protect an organization’s network perimeter against DDoS, but also to detect any inside-network infected device to launch DDoS against within or outside the organization. NetFlow or any flow-based technology is indispensable to provide visibility of any network abnormality.



Application firewalls, host-based IPS/IDS, application delivery controllers (ADC) provide up to Layer 7 visibility and protection against malicious traffic. And most importantly, don’t forget to patch your systems.



You feed all the logs, flow data, packet captures, etc. to SIEM, then what? I believe that SIEM is not SIEM without the human element. Even though vendors include many pre-built alerts/reports in SIEM, it’s human that fine-tune to fit an organization’s needs; a lot of man-power. Also, who say that DDoS won’t start from 2AM in the morning? Therefore, 24x7 coverage (think of NOC) is necessary.



Recently, we were approached by one of our service providers; they provide Security Operations Center (SOC) services to customers. In other words, they give customers 24x7x365 SIEM coverage. Service providers can also provide automatic DDoS mitigation, upstream blackholing, or even global content delivery network (CDN) services.



Just like organizations performing disaster recovery tests annually or twice a year, annual DDoS tests should be conducted. All IT departments will get familiar with the DDoS incident handling. Also, the organization’s DDoS mitigation weakness can be revealed and improved.



In the ‘80s Sci-Fi movie WarGames, there was scene in which big monitors in situation room showed traces of global missile attacks. Do you want to see something similar in real life? OK. OK. No missile attacks. Check out the following websites for a taste of current cyberattacks in real time.


Cyber Threat Map from FireEye

IPViking Map from Norse Corp

Digital Attack Map from Arbor Networks and Google