Denial-of-service attacks

Questions 85 and 86 — see how your service provider protects its services from denial-of-service (DoS) attacks, both distributed and economic, and whether they meet your requirements.

Questions 85 and 86 — DoS attacks

Table 1 lists who is responsible for answering each question.

Context and help for questions 85 and 86

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider use protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks?
    1. If yes — does enabling the service provider’s DDoS protection services affect your answers to questions 15 to 17 about data sovereignty?
  2. Can your government organisation specify or configure resource usage limits to protect against economic denial-of-service (EDoS) attacks?

Table 1: Who answers each question
Entity Questions to answer
Government organisation None
Service provider 85, 85a, 86

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 85 and 86

The following guidance gives you context and help for answering questions about DoS attacks.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Why DoS attacks happen

Any service delivered over the internet has an inherent risk of DoS attacks.

A DoS attack may be launched against the service provider or government organisation.

How public cloud services are at risk of DoS attacks

For DoS attacks, public cloud services can:

  • be more visible and attractive targets — multiple organisations using a single service can be seen as a worthwhile opportunity for attackers
  • cause collateral damage — government organisations might experience damage from attacks on the service provider or another organisation using the service.

How public cloud services lessen the risk of DoS attacks

Using public cloud services may lessen the impact of some forms of DoS attacks. Service providers often:

  • have spare network bandwidth and computing capacity
  • use data centres in different locations in the world, paired with protocols and technologies, to distribute network traffic and computer processing.

Distributed denial-of-service attacks

It’s difficult to protect against traffic-based DoS attacks — called distributed denial-of-service (DDoS) attacks. This is because:

  • they consume all the available resources
  • effective defences against them rely on blocking the source of the attack as close to the attackers’ location as possible.

How to lessen the risk of DDoS attacks

Service providers use protocols and technologies, such as:

  • Anycast
  • application delivery networks
  • content delivery networks.

Economic denial-of-service attacks

One of the benefits of public cloud services is that government organisations can pay for only what they’re using in a service. This can be turned into a disadvantage by economic denial-of-service (EDoS) attacks — also called bill shocks.

A successful EDoS attack may force a service to scale exponentially to the increased demand it’s creating. This results in unusually high charges for resource use.

How to lessen the risk of EDoS attacks

You can reduce the risk of unexpected charges by setting limits in the service’s security configurations. Set the limits for resources used to be near your government organisation’s expected peak usage for a service.

The technical owner or subject matter experts of the current information system can help to properly set these configurations.

Technical context of an information system

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated