NCSC issues DoS guidance following Wikipedia attack

DoS mockup

Following a "major DDoS attack" on Wikipedia causing the site to go down globally on Saturday, the National Cyber Security Centre (NCSC) has issued guidance to businesses, large and small, on how to prepare for and mitigate denial of service (DoS) attacks.

The cyber security arm of GCHQ indicates that having a full understanding of what causes a site's outage is important as there are many different ways websites can be knocked offline. Some can be malicious attacks but it can also be due to unforeseen traffic being directed to a site following a successful social media post, for example.

It said a minimal DoS response plan should be in place in any business that operates on the Web. Depending on the size of the business, service outages can be hugely expensive - service downtime is estimated to cost 2,140 per minute, according to recent figures.

A minimal response plan consists of four parts: confirming that the incident is an attack, understanding the nature of the attack, deploying mitigations and recovering.

If a business is confident it is actually under attack and not just experiencing unusually high legitimate traffic, the NCSC advises to contact ActionFraud, a 24/7 cyber reporting service for businesses as the police and the NCSC can't often respond in real-time.

Understanding the nature of the attack is important as it will dictate the way businesses should respond. For example, understanding which IP address is under attack means it can be possible to restrict access to that domain in order to restore other services.

Making these kinds of changes should always be logged, the body said, so that the business can return to a known state once the attack is over.

Although distributed denial of service (DDoS) attacks don't usually last more than three hours, it's not uncommon for attacks to come in bursts, so a business should be wary of the attacker coming back before making a full recovery.

"It is not possible to fully mitigate the risk of a denial of service attack affecting your service, but there are some practical steps that will help you be prepared to respond," said the NCSC.

Wikipedia confirmed on Saturday that the site was downed for users worldwide due to a malicious attack in several countries. Microsoft's Xbox Live gaming service also experienced major outages on the same day, although no connection between the two has been established.

The attack caused around nine hours of intermittent global outages according to Netblock, an internet security monitoring firm.

See more

"Luckily a DDOS attack on a website may be nothing more than an inconvenience, but it could spell more trouble should threat actors believe they are a weak or easy target for future attacks," said Jake Moore, cyber security specialist at ESET.

"The most important way to respond to a DDoS is to strengthen security where possible and plug any gaps that may be currently open."

Due to it being one of the most popular sites in the world, Wikipedia has a tendency to attract bad actors, according to a Wikimedia Foundation blog post.

"We condemn these sorts of attacks," it said. "They're not just about taking Wikipedia offline. Takedown attacks threaten everyone's fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

To be fully prepared for a DoS-related outage, businesses should ensure their operations are scalable so in the event that a massive spike in traffic does hit the site, the infrastructure can automatically account for it and assign greater resources to accommodate it, according to the NCSC.

Regular testing of the network's defences and monitoring should be carried out in addition to having a solid response plan in place.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.