Public sector bodies need to defend proactively against distributed denial of service attacks, writes Omer Yoachimik, senior product manager for DDoS protection and security reporting at Cloudflare
Distributed denial of service (DDoS) attacks pose a serious threat to the public sector. They have the capacity to cause serious disruption to internet services, stalling networks, taking down websites and making it impossible for employees and the public to access systems.
They are also becoming more frequent, with DDoS attacks against the UK public sector increasing by 38% in 2024, greater than the increase in the level of internet traffic, with over 12% of http requests to UK government websites being malicious compared with 9% in 2023.
Their intent is not always clear, but there has been evidence of attacks coming from malicious actors overseas who wish to undermine the governments of Western countries. Last year the National Cyber Security Centre (NCSC) issued an advisory notice in response to a company with links to China’s government staging a worldwide botnet attack.
All this is creating the need for a clear strategy to defend against DDoS attacks over the long term.
Key features
The topic provided the basis for a recent UKA Live discussion, staged with Cloudflare, between myself, chief technology officer at Norfolk County Council Kurt Frary and UKAuthority research director Helen Olsen Bedford. It highlighted key features in the nature of the threat and how the sector can respond.
We began with the basics of a DDoS, a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming it or its surrounding infrastructure with a flood of internet traffic. This comes from a large number of remotely controlled computers and other devices infected with malware, simultaneously sending more HTTP requests or DNS queries than a system can handle. While lasting a short time – maybe around a minute – they have such force that they can cause significant damage before they are even detected.
Sometimes they are carried out purely to cause disruption, other times as a distraction, providing an opportunity for threat actors to carry out a hack while the victim’s IT team is preoccupied with repairing the damage from the initial attack. And sometimes it is not at all clear what it is when it is happening.
Generating simple DDoS attacks is relatively easy, with a low barrier to entry. For a more sophisticated attack, in which it is used as smokescreen to hack into systems, it usually requires an additional set of skills and a team with the knowhow and infrastructure to coordinate through multiple vectors.
Advances in AI make it easier for threat actors to develop ways of staging attacks. One approach is to use a generative AI tool to provide a script for load testing a website, which could then be abused to stage an attack, sending tens of thousands of requests per second through virtual machines.
Overall, the threat is set to become more complex and intense, and demands a series of proactive defensive measures.
Framework for resilience
The NCSC provides a strong central source of guidance, and its Cyber Assessment Framework (CAF) has found favour in the public sector as a tool for cyber resilience. It brings together much of the guidance into one place and enables organisations to understand their risk profile, cover all the relevant points and have an honest discussion about cyber threats at board level. Kurt spoke highly of the version bespoked by the Ministry of Housing, Communities and Local Government and its usefullness for the sector.
There are measures that can be taken by internal IT teams, such as assessing how much traffic in-house servers can handle and setting firewall rules for rate limiting and network traffic, and running DDoS simulations. There are also non-security features that can make a contribution, such as effective caching and maintaining up-to-date runbooks of instructions and dependencies of tech systems. There are ways to add multiple layers of protection in-house.
But it is important to note that DDoS attacks are cloud based and widely distributed, and most public sector organisations are now using platforms and applications spread around the cloud, so it makes sense to use a cloud based source of defence rather than trying to do it all on-premise. There are services on such as Cloudflare’s DDoS protection which provide the capacity and the expertise to keep up to date with how DDoS attacks are changing.
The Cloudflare service currently draws on around 350 Tbps of network capacity and can mitigate attacks on networks, web applications and data centres by absorbing malicious traffic without slowing down the customer’s performance.
It involves monitoring the client’s website IPs worldwide or the cloud IPs to which its websites resolve worldwide, so that whatever the location of the botnet nodes initiating the attack, it will mitigate close to the source and enable the client to continue serving its local users using Cloudflare’s local data centres.
Need to configure
It is important to note that when using such a service it has to be configured correctly as there are always small differences in how web applications and services are configured and used. This involves working closely with the vendor to analyse the details and prepare for the worst case scenario.
Sharing intelligence on threats and best practice is also important. Although organisations are understandably cautious about sharing what they are doing in public, sources such as the NCSC and WARPs (Warning, Advice and Reporting Points) provide forums for doing so securely.
The outlook is that cyber attackers, whether they be criminal gangs, 'script kiddies' or sophisticated state backed actors, are going to remain highly active; but there is the scope to keep the threat in check.
As Frary stated: “I think this sort of attack will become the norm, always in the background, and if you don’t take the right steps to protect against them you will pay the price. But the reality is that the tools will get better and better, and as long as you have them in place you can mitigate against it.”
Watch the full discussion below or access further info and resources:
-
- Project Galileo - free cyber security protection from Cloudflare providing robust security to 2,900+ vulnerable internet properties across human rights, civil society, journalism, or democracy, that are the targets of DDoS and other cyber attacks
- Cyber Assessment Framework for local government (Ministry of Housing, Communities and Local Government)
- Cloudflare's 2024 latest threat report: https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/
- Cloudflare DDoS protection: https://www.cloudflare.com/en-gb/ddos/
(If you are experiencing difficulties playing the video click here to watch it on Vimeo)
