Make no mistake about it - credit unions have been put on alert by NCUA to prepare for DDoS attacks. The problem is no one is telling them how! When new threats hit the news, a wave of new “flavor of the day” vendors leap into the market. All it takes is a good marketing campaign and a splashy logo and “experts” are born (remember Pandemic and Y2K?). Your members rely on you to make vendor selections that protect their sensitive data. So what should you look for in a DDoS vendor?
We’ve put together a checklist of important points to help you navigate the DDoS vendor selection process.
1) Understand that it is not just about DDoS – DDoS is just one of many cybercrime threats making its way into the nightmares of credit union CIO’s. As they race to implement another acronym driven solution (IDS, IPS to name a few) to protect their perimeters, an army of hackers plot their next move essentially nullifying your efforts before you can complete the installs! Key points to remember:
- Remember credit union budget cycles are notoriously SLOW
- Remember hackers are notoriously fast at exploiting vulnerabilities and/or creating new threats
- Plan for “When”, Not “If”
2) Ask your peers – The credit union industry is known for its grassroots movement philosophy and open collaboration. Reach out to your peers – what are they doing? Have they experienced an attack? If so, how long? What’d they do? Did they have to enlist the aid of an external partner for mitigation? (See where I’m going with this?) Referrals beat RFPs ANY DAY
3) What type of threats are they protecting against? It might appear to be a simple four-letter word but DDoS attacks range wildly in complexity and scope. Our friends at RadWare developed this table to help CIO’s methodically and deliberately narrow down their pool of possible vendors and to make selection easier. Don’t go to the bargaining table without this!
|
DDoS Threats |
Attack Type |
Attacking Target |
Detection |
Mitigation |
|
|
Yes? | No? | ||
|
SYN Floods |
TCP Out-of-State Flood | |||
| ACK Floods | ||||
| Garbage Floods | ||||
| Request Floods | ||||
| Packet Anomalies Flood | ||||
|
HTTP Floods |
Get Requests | |||
| Post Requests – Variable Values | ||||
| Invasive HTTP Vertical Scanning | ||||
| Invasive HTTP Horizational Scanning | ||||
| Put Requests | ||||
| Search Engine Floods | ||||
|
UDP Floods (Non DNS) |
UDP Floods (Non DNS) | ICMP Echo Request (Ping) Flood | ||
|
SSL Computing |
SSL renegotiation | SSL vulnerability | ||
| SSL traffic | HTTPS flooding | |||
| SSL handshake | Computation power | |||
|
HTTP (Get/Post) Flood Attack |
HTTP Get/Post Flooding | Bandwidth | ||
| Processing Power | ||||
| HTTP vulnerability | Protocol / RFC | |||
|
Slow Rate Attacks (AKA RUDY or R-U-Dead-Yet) |
Slow HTTP Post requests | Processing Power | ||
| Connections / Sessions | ||||
| Memory | ||||
|
Partial data / transaction attack |
Application data integrity | Application security control weakness | ||
|
SMTP flood |
Application data integrity | Application security control weakness | ||
|
FTP flood |
Application data integrity | Application security control weakness | ||
|
DNS Threat |
DNS traffic | DNS volumetric attacks | ||
| DNS spoofing attacks | ||||
| DNS amplification and reflection | ||||
| Protocol flaw | DNS ID hacking | |||
| DNS cache poisoning | ||||
| DNS root server attacks | ||||
|
SIP / UCS Attacks |
Protocol flaw | SIP Protocol Anomaly Attack | ||
|
SQL Injection |
Code injection | SQL database | ||
|
Attack Techniques |
||||
|
Volumetric attacks |
HashDoS | |||
| TCP/UDP/ICMP Flood | ||||
| SYN/Push/ACK Flood | ||||
| Malformed DNS queries / packets | ||||
| High volume properly formatted DNS queries | ||||
| DNS amplification / reflection attacks | ||||
|
RFC/Compliance Attacks |
HashDoS | |||
| Apache Killer | ||||
|
Compute Intensive Attacks |
Slowloris | |||
| SlowPost | ||||
| New variant – Slow Read | ||||
| Valid but CPU/memory intensive web/database requests | ||||
|
Brute Force Attacks |
Zone Enumeration / Dictionary Attacks- DNS Brute Force | |||
| Invalid Website Input Parameters Attack | ||||
| Search Engine Request Attacks | ||||
| HTTP Brute Force | ||||
|
Buffer Overflow Attacks |
Buffer Overflow DNS | |||
|
Anti-Automation Attacks |
||||
|
Other Attacks |
HTTP Get Flood | |||
|
|
LOIC or Variants | |||
|
|
HOIC or Variants | |||
|
|
HTTP Post Flood | |||
|
|
nkiller2 (TCP Persist) | |||
|
|
SIP Call-Control Flood | |||
|
|
THC | |||
|
|
Recoil | |||
|
|
Rudy | |||
|
|
Hulk | |||
|
|
XerXes DoS | |||
|
|
#RefRef DoS | |||
4) Determine their mitigation strategies – Blackholing should NOT be your only DDoS mitigation strategy unless you are comfortable being completely offline for days/weeks on end. Depending on your credit union RTO/RPO, you will want the DDoS attempt identified and remediated fast enough to meet your goals AND to continue providing critical services to your members during that time. Questions to ask the vendor:
- What are the various configuration options available and how do I determine which one fits our strategic objectives?
- How quickly does your solution work to detect and mitigate?
- How do you detect legitimate users vs attackers?
- Is the solution cloud-based or require an appliance onsite (either could be a great option for you but you need to understand the difference between each)?
5) Verify the vendor’s expertise – As I shared earlier, new threats (or new NCUA requirements) often bring a wave of new vendor choices. You will want to verify your potential DDoS partner has:
- Technical Expertise – This goes without saying. Look under the engine.
- Resources – DDoS attacks can go on for days. A 1-2 person shop isn’t going to be effective in this situation. Look for a vendor with a resource pool to sustain 24/7 remediation work.
- Credit Union Knowledge – Partnering with a vendor who understands your industry yields far superior engagements because you can speak the same language. Your vendor should be able to understand your business processes and help you to identify areas of weakness in your impact analysis and then design a solution based upon your risk assessments.
Considering that while you read this post, 4,263,291 unauthorized packets knocked on your firewall door, I’d say you need to get moving (yes, I made that number up – but who knows, it could be higher).
For more information on DDoS/Cyber-Threats, download a courtesy copy of our eBook.
