Connect with us

Hi, what are you looking for?



CISA Releases Guidance on Adopting DDoS Mitigations

CISA has released new guidance to help federal agencies decide upon and prioritize DDoS mitigations based on mission and reputational impact.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance to help federal agencies adopt distributed denial-of-service (DDoS) mitigations.

DDoS attacks are a type of cyberattack in which threat actors flood a server or network with internet traffic, exhausting its resources and rendering the target inaccessible.

Meant to help federal agencies prevent “large-scale volumetric attacks against web services”, CISA’s new guidance (PDF) shares details on prioritizing DDoS mitigations depending on mission and reputational impact, and describes various DDoS mitigation services to help agencies make informed procurement decisions.

The guide, however, only focuses on DDoS attacks targeting websites and related web services, which are meant to deny user access to them.

According to CISA, before deciding which type of DDoS mitigation to adopt, federal agencies should make an inventory of agency-owned or -operated web services, and then analyze the impact a DDoS attack would have against those services.

For that, CISA proposes five categories of impact and encourages federal agencies to assign a score in each of them: impact on public transactions, impact on public access to information, impact on government and industry partnerships, impact on the agency’s day-to-day activities, and reputational impact.

Next, each agency should assess the importance, or weight, of each impact category, based on mission and risk tolerance.

Advertisement. Scroll to continue reading.

“Agencies that depend on public perception for the successful execution of their mission may choose to give more weight to scores in the reputational impact category, whereas agencies that are reliant on partnership with scientific or academic organizations may choose to weight the government and industry partnerships category more heavily,” CISA explains.

After calculating the impact score for each of their web services, federal agencies should create a ranked list of DDoS attacks and, based on that, prioritize the implementation of specific DDoS mitigations.

When considering the adoption of mitigations against DDoS attacks, federal agencies should look at content delivery networks (CDNs), internet service providers (ISPs) and upstream providers, and cloud service provider hosted services.

“CDN mitigations provide the highest degree of protections. Both ISP and CSP are sufficient if service providers can provide the proper compute and bandwidth resources. On-premises solutions are highly unlikely to provide sufficient compute and bandwidth due to its inability to scale; CDN solutions are highly advised,” CISA notes.

Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation

Related: CISA Releases Cyber Defense Plan to Reduce RMM Software Risks

Related: CISA Unveils Cybersecurity Strategic Plan for Next 3 Years

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.