How to defend against DDoS attacks by checking Point

Since the beginning of last year, international financial institutions have been plagued by distributed denial of service (DDoS) attacks, many of which were initiated by an organization named QCF, the most notable attack was initiated at the beginning of this year against financial institutions in the United States, codenamed "swallow action" (Operation Ababil). Recently, the organization published weekly updates in Pastebin, reiterate its motivation for launching the swallow action and summarize its impact.

In addition to QCF, many hacker groups are also scrambling to launch DDoS attacks. The target is often a financial service organization that focuses on attacking its website forms and content. In addition, some DDoS attacks become "advanced" Multi-vector versions, combining DDoS with account tampering and fraud techniques to bring greater damage.

The above example shows that in the past year and a half, the frequency and Tactics of DDoS hacking activities have continuously increased. Recent cases show that banks of different sizes are facing different forms of DDoS attacks, these include traditional SYN attacks, DNS flood attacks, DNS amplification attacks, and attacks against the application layer and content. DoS attacks targeting SSL-encrypted Web page resources and content are even more severe. In some cases, hackers may use a hybrid form of attacks, and use an application layer method that is difficult to block, combined with "Low Cost" and large volumes, however, you can use a simple method to filter and block attacks.

To cope with malicious activities at this level, the Chief Information Officer, Chief Information Security Officer, and their team need to deploy a comprehensive defense solution and adopt a comprehensive set of defense tools, this Service integrates security technologies deployed in the company and cloud-based cleaning services. In addition, they also need to consider collecting and releasing intelligence and support a comprehensive DoS mitigation policy.

Check Point Software Technology Limited recommends Financial InstitutionsThe following measures should be taken into account when formulating anti-DDoS policies::

Use data cleansing service or similar cleaning suppliers to deal with large volumes of depletion attacks

DDoS attacks that reach 80 Gbit/s are no stranger. In some cases, they can even reach 300 Gbit/s. Only a few organizations can have bandwidth to cope with such attacks. In the face of such a large-scale DDoS attack, enterprises should first consider using cloud-based cleaning suppliers to manage their network traffic and help remove malicious data packets from the data stream. These suppliers have the required tools and sufficient bandwidth, so they can be used as the first line of defense against massive depletion attacks, so that DDoS attacks can stop on the cloud, the conventional business data flow can pass through the network smoothly.

Uses specialized DDoS defense devices to identify, isolate, and fix attacks.

In view of the increasing complexity of DoS attacks and the combination of large numbers of attacks and application attacks, enterprises need to adopt a comprehensive approach to combat multiple types of attacks. To effectively defend against multi-vector attacks that combine applications and "low-and slow" attacks, we must make full use of the dedicated defense devices deployed in the company, firewalls and intrusion defense systems are crucial in mitigating DDoS attacks. DDoS security defense devices build an additional protective layer to identify and intercept DoS activities in real time using dedicated technologies. Administrators can also set these internal security solutions to communicate with cloud cleaning service providers and automatically route attacks when they are under attack.

Enterprises need to adjust the firewall to handle a large number of Connection Rates

In the case of DDoS attacks, the firewall will be a key network device. Administrators should adjust their firewall settings to identify and handle large volumes of depletion and application layer attacks. In addition, depending on the performance of the firewall, some protection functions can be activated to prevent DDoS attack packets and improve the firewall performance during the attack process.

Develop a set of methods and policies to protect applications against DDoS attacks

Security technology can effectively defend against DDoS attacks, but administrators also need to consider adjusting the Web server, modifying their own load balancing and content delivery policies, so as to ensure that the system gets the best normal operation time. In addition, you can also consider configuring to defend against multiple login attacks. Another method to defend against machine-initiated and automatic attacks is to add service details on the webpage, for example, asking the browser if they are interested in obtaining low interest rates or new product information, you must press "accept" or "No, thank you" to continue to the subsequent page.

In addition, content analysis is very important, which can easily ensure that there are no large number of PDF files blocking valuable host servers.

The above are some important measures to implement DDoS Mitigation policies. Enterprises must work with service providers and Internet Service Providers (ISPs. ISP must participate in and support these policies because DDoS attacks use the same network as financial institutions such as banks, while ISP supports these two types of data streams.

Intelligence collection and distribution are increasingly important to defending against DDoS attacks. This requires investigating data on the company's internal network and data on the network of other companies in the financial service industry.

Understanding hacker identities, motivations, techniques, and other information can help managers accurately predict and prevent attacks. The resolution of DDoS attacks can be based on the protocol (SYN, DNS, HTTP), the source of the attack data packet, the network that initiates and controls the attack, and the start and end time of the attack within one day. At present, this information sharing is limited to industry friendliness. The correct direction is to build an automation system. Different organizations can log on to a solution and study the associated raw log information, provides clues about ongoing or ended attacks. These systems can also be used to share attack intelligence and distribute protection.