The Canadian government’s DDoS defence tactics explained

We haven’t experienced the kind of outages and downtime in the public sector that have plagued the U.S. An analyst with Info-Tech Research draws some conclusions as to why


Here’s a headline we haven’t seen yet in Canada:  ‘Government Web site knocked offline by DDoS attack.’

We can safely dismiss the prospect of a major attack that hasn’t been reported—just imagine 10,000 Canadians trying to look for Employment Insurance information online and finding the Service Canada site down for six hours.

So, the intriguing question is ‘why?’

Either our government has been doing a bang-up job of securing its networks, or it’s just been lucky. Since we can’t really ask the hackers, we’d have to start looking for an answer by examining the government’s network security layers, what specific equipment it’s using, and so on. Not exactly information the government can readily provide.

The clean track record is surprising because even the much better funded and equipped U.S. government has fallen victim to IT security issues. In 2012, the Department of Justice was sent reeling from an attack by the Anonymous hacker collective. The scale of the assault was simply too large to contain.

“When you look at something like the DOJ DDoS,” says James McCloskey, a senior consulting analyst at Info-Tech Research Group, “one of the problems that they faced was that the attacks were coming from such a large botnet.”

The sheer number of endpoints involved made it impossible to filter out the offending traffic. The only solution was to take the site offline for a few hours to repair the damage, he says. Best they could do, but a victory in itself for the hackers.

Canadian government sites seem like relatively soft targets by comparison. Perhaps Canada just doesn’t have very many enemies?

“My guess is it’s a combination of being somewhat lucky, somewhat under the radar, and having good partners,” says McCloskey.

Indeed, if a federal site gets hit by a DDoS attack, we won’t be able to criticize (or congratulate, depending on the response) the government alone. It couldn’t manage a DDoS prevention strategy in-house even if it wanted to. For large organizations connected to the Internet—and the federal government is the largest in the country—that task is largely left up to service providers. Better partners mean better security.

McCloskey says a DDoS attack puts a network in a position similar to that of a house downstream from a floodplain, with a dam (the ISP) controlling the water flow. “When there’s a heavy storm, and lots of rainwater and runoff is coming into your floodplain, the folks at the dam will reduce the flow.”

“Basically, the ISP is going to do DNS caching protection for you as well as providing [upstream protection],” he says. “The goal is to push that DDoS protection upstream so that the traffic never hits your site.”

Of course, government agencies have to do their share by identifying and reporting suspicious traffic. For an interesting glimpse at how they plan to respond to an attack, check out the online guide put out by Public Safety Canada, Mitigation Guidelines for Denial-of-Service Attacks.

The guide emphasizes maintaining good communication channels with ISPs, including backup lines, as well as understanding Service Level Agreements. It also reveals how the federal government would manage such a crisis, recommending that a series of people should be involved, not only IT security personnel, but also legal advisors and media relations staff.

Sounds like a good enough plan. But the mention of the media is a pretty clear indication that the government is preparing for “damage control” that goes beyond just repairing their network after a DDoS attack. Whenever security is breached at a public institution, the public demands answers. Whether our government is escaping DDoS attacks because of good partners or good luck, it needs its winning streak to continue.

Learn more about DDoS by watching our video series, ‘Emerging IT and network vulnerabilities – A better approach for managing risk.’

 

Comments are closed.