Integrity Solutions has been monitoring the situation of Distributed Denial of Service (DDOS) attacks on certain Government websites very closely since the incident was announced earlier this week and while no major damage appears to have been done to the websites targeted (Justice.ie & Finance.gov.ie) we feel that it is critical that other Irish websites, especially that of other Government departments, are aware of the potential ongoing risk to their organisations. 

To this end, Integrity Solutions would like to advise our clients that there are practical steps that your organisation can take to reduce the impact of more conventional denial of service attacks (in line with the recommendations of IRISS CERT).

• Conduct a risk assessment of your own website and infrastructure to determine if you could be a potential target.
• Ensure your systems are fully patched - this includes your firewalls, your operating systems, web server software and the web application software on your site.
• Review all your firewall rules and ensure they are up to date and correct.
• It is important to ensure that logging is enabled to record key events and that you are actively monitoring your logs for suspicious activity, however it is important that your systems have sufficient capacity for the extra logs generated during a DDOS attack, as this can increase your CPU and disk utilization considerably.
• Give consideration to deploying DDOS mitigation tools
• Ensure all your passwords are secure passwords and are not re-used across multiple systems.
• If you have Intrusion Detection Systems (IDS) in place, ensure they are configured, working properly and are being monitored.
• Have your incident response plan close by in the event that you are impacted.
• Perform, at a minimum, some form of vulnerability scan or at best, a penetration test on sensitive web facing services
• Restrict access to local or domain administrative privileges
• Whitelisting - enforce a list of “allowed” applications
• Consider enabling GeoIP functionality if your organisation firewall infrastructure supports blocking it (This functionality can be implemented to drop traffic from specific countries).

These strategies can be implemented gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users. Once this is achieved, orgainsations can selectively implement additional mitigation strategies based on the risk to their information.
An important point to keep in mind when addressing a DDOS attack is that filtering at the target is not the best option. A huge portion of incoming bandwidth is still being consumed whether it is a firewall or border router stopping the offending packets - delaying legitimate traffic. To truly alleviate the effects of a DDOS flood, the traffic will have to be blocked at a point higher up the chain - likely a device under a large providers control. This means that many of the products that claim to prevent DDOS attacks are ultimately useless for smaller networks and their end users.

If you have any questions in relation to the information and recommendations above or would like to speak to one of our security consultants please don’t hesitate to contact your account manager directly on +353 (0)1 2934027.