DDoS Stress Testing for Increased Resiliency

You’ve heard of DDoS, right? In short, DDoS stress testing is a specific service that helps your organization understand just how well you are prepared for the different DDoS attack vectors that, unfortunately, may come your way. The service consists of simulations of DDoS or high load on your IT and are carried out in a strictly controlled and pre-scheduled manner. What you get is a detailed report that tells you of network and server issues related to DDoS resiliency. You also get remediation and mitigation advice on how to harden your DDoS mitigation solution or how to implement one, in case you don’t have it yet.

WHY WOULD YOU PROCURE DDoS STRESS TESTING?

Today, DDoS is as easy to inflict on a victim as buying a pizza online. It’s cheap and effective too. By stress testing your IT infrastructure, you will be able to identify and plan for mitigating DDoS-related issues before attacks do happen and harm you. You will also gain insight into your incident response procedures and improve them, or simply gain better control over a DDoS mitigation solution you may have. If you’re looking to purchase such a solution, stress testing may help you choose the right vendor for the job.

HOW DOES IT WORK?

The stress testing process usually starts with a verification and customization procedure. Real-time DDoS attack vectors are pointed at the organization’s IT public-facing infrastructure from the outside (real-life scenario) or in a closed environment (on-premise simulation). DDoS attack simulations should be carried out on all applicable Layers of the OSI model in a fine-grained controlled manner with a “Stop” capability at all times. The process must be supervised by the service provider’s support member and a representative of the tested organization at all times.

PLACE IN THE SECURITY PROCESS

Confidentiality, integrity, and availability, also known as the CIA (or AIC triad for wanting to avoid association with a certain intelligence agency) triad, is at the heart of Information Security, working together to make sure your data and systems remain secure. It is wrong to assume one part of the triad is more important than another. Every IT system will require a different prioritization of the three, depending on the data, user community, and timeliness required for accessing the data. There are opposing forces to the triad concepts and they are disclosure, alteration, and destruction. Disclosure is when you are faced with unauthorized disclosure of information, alteration constitutes the unauthorized modification of data, and destruction is making systems unavailable.

 

Availability keeps information available when needed. All systems must be usable (available) for business-as-usual operation. Typical availability attacks are the Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, whose aim is to deny the service (or availability) of a system. Being prepared and informed of weaknesses in your system against DDoS attacks involves stress testing.

WHAT COVERAGE OF STRESS TESTING DO YOU NEED?

Determining the readiness of your organization’s IT infrastructure for DDoS attacks through stress testing must include all known attack vectors and possible sources. Remember, DDoS today is cheap and effective, thus the following characteristics of the testing method and approach must be in place:

  • Attack vectors simulating floods generated by real known botnets;
  • Volumetric attacks with unlimited size and adjustable increments;
  • Service-centric selection of floods on the Application layer;
  • Flexible attack timing and combined vector capability;

The attack scope is very important and must (i.) be able to show at least fundamental weaknesses of the target servers and (ii.) comply with your security policies and strategy.

A good stress testing vendor will have the expertise and capacity to employ a wide variety of attack vectors to include, but not limited to various HTTP/HTTPS methods and combinations (GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT, OPTIONS, PATCH, etc.), various attacks on WebDAV protocol, SYN-ACK Floods, ACK or ACK-PUSH Floods, Fragmented ACK Floods, RST/FIN Floods, Same Source/Destination Floods (LAND Attack), Fake Session Attacks, UDP Floods, UDP Fragmentation, ICMP Floods, ICMP Fragmentation Floods, Ping Floods, TOS Floods, IP NULL/TCP NULL Attacks, Smurf/Fraggle Attacks, DNS Floods, NTP Floods, various Amplified (Reflective) attacks, Slow Session Attacks, Slow Read Attacks, Slowloris, HTTP Fragmentation, various types of Excessive Verb (HTTP/HTTPS GET Flood), Excessive Verb – Single Session, Multiple Verb – Single Requests, Recursive GET, Random Recursive GET, various Specially Crafted Packets, etc.

INTERNAL vs. EXTERNAL TESTING

In order to establish perimeter resilience to DDoS attacks, from a risk management point of view, proper identification and listing of assets under threat is required and must be followed by an assessment of the critical assets’ vulnerability. Generally, DDoS Stress testing is performed either externally, or internally.

As the name suggests, the external approach simulates DDoS attack by deploying resources that are very close in their nature to a real-life attack, i.e. originating from the Internet. The attacking “botnet” is simulated from a stress testing cloud platform. The maximum volume of the simulated test attacks must be discussed with the client and agreed upon prior to starting the tests. Generally, a typical topology for external tests, including a sample legitimate client ( a machine used to perform availability tests), is implemented:

 

In contrast to external testing, internal DDoS stress testing means performing the simulation in a location within the perimeter of the client network. Flood traffic is generated internally and pointed to resources, which are usually part of a purpose-built test environment. Displayed below is a typical network topology for internal testing, where the Internet is simulated with a local network and includes segmented test targets and a simulated legitimate client PC:

 

When performing DDoS Stress testing, it is imperative that a detailed test plan is made available in advance and is pre-approved by all parties involved. All tests must be performed in stages, with every stage lasting long enough to perform an availability test and measure an approximate download speed from the target server by connecting to it from the simulated client PC. Tests must be designed in such a way that they can be stopped at any time and stage on your request. It is highly recommended to not perform tests on the production environment, as their behavior and possible aftereffects depend on specific target server settings.

Outsourcing Your Internal Audit Function May Be a Viable Proposition

According to The Institute of Internal Auditors,

internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

OUTSOURCING?

Today, you can outsource almost everything. Including your internal audit function. There are two scenarios you may want to consider here, outsourcing and co-sourcing. With pure outsourcing, you’re looking at a comprehensive service, where the entire function is performed by the service provider with a focus on risk. With co-sourcing, some sharing occurs. Usually, you would employ this service if you need assistance with, say, non-routine engagements that could require deeper and more profound experience and expertise.

Through outsourcing your internal audit function, you benefit from a number of otherwise hard-to-get results. Your organization stands to be evaluated in a more independent and unrestricted manner, thus management will receive more objective and unbiased assistance and advice. You will also benefit from a new level of assurance and coverage of risks and will probably be able to reduce costs in the short and in the long run as well. If you want to align organizational governance with risk and compliance and be able to proactively identify and manage emerging risks, then you may want to consider outsourcing. Last, but not least, you may be able to free up some of your people to other, more important tasks.

KNOWLEDGE TRANSFER

Outsourcing is always good for situations when a broader skill set and deeper industry specialization are needed. You could receive additional intellectual capital that will give you insights and recommendations on leading practices through access to leading-edge tools and methodologies. All of these will effectively transfer new knowledge and build new capabilities into your company.

IS INTERNAL AUDIT OUTSOURCING NECESSARY?

There’s quite a debate over the pros and cons of outsourcing the Internal Audit function. The concerns are mainly derived from the risk, responsibility, and reliability issues connected with the choice of external consultants. And that’s exactly how it should be. A good team would address these concerns by giving you and fulfilling a checklist of things to demand from an outsourced internal audit service arrangement where:

  • All objectives are clearly defined;
  • The scope of the service will be transparent;
  • The expertise level needed will be properly identified;
  • You would be able to review and agree on the performance metrics;
  • Together you will be able to plan for and establish who does what for remediation and follow up;
  • You get assistance to create your own quality assurance and improvement programs;
  • Define clear rules for deliverables, i.e. the work papers when the service terminates;
  • You are in control to limit, if applicable, the work your vendor may do for your competitors.

With the right people, methodologies, and technologies, the process and the professionals involved in the outsourcing should represent a true and objective alternative to an in-house solution. Through a business approach and cost-efficiency, the service company you hire should become your partner in risk for your business.

THE PROCESS

A typical outsourced internal audit project will have five phases:

 

  • Selection – organization-wide or pre-selected area/project risk assessment to define audit surface and objective;
  • Planning – gather relevant information, stipulate chain of command/reporting, and draft plan with scope and timing;
  • Execution – fieldwork commences, with regular status meetings to discuss observations, potential findings, and recommendations;
  • Reporting – communicate draft and final report of findings, conclusions, and recommendations;
  • Follow-Up – on findings and approved remediation action plans; and re-audit where applicable.

WHAT TO LOOK FOR IN TERMS OF PRICING

The costs for an outsourced internal audit service will depend on the size, project complexity, and the industry sector of your company. Based on an initial and ongoing assessment, the vendor should provide flexible, tailored pricing to achieve and maintain internal audit standards.

The service ideology should be based on affordability with a maximized value-for-money approach. Depending on your company’s needs for internal audit involvement, and the complexity of one-time or ongoing projects, you should look for a vendor that will devise the most cost-effective plan to make sure your business model is adequately protected.