Election Security Spotlight — DDoS Attacks

What it is

Distributed Denial of Service (DDoS) attacks occur when a cyber threat actor (CTA) uses multiple devices at once to overwhelm a target system or network with a flood of internet traffic or requests. To do this, CTAs exploit security weaknesses of devices connected to the internet to ultimately take control of them. They then leverage these devices (referred to as a botnet) to carry out a DDoS attack. The goal of a DDoS attack is to disrupt use of a target system or network by flooding it with internet traffic or requests, which results in network slowing, crashing, or unresponsiveness, preventing users from accessing it. Organizations lose time and money when they fall victim to a DDoS attack. In addition, particularly for election officials, DDoS attacks could lead to perceived distrust in the election process. 

Why does it matter

As more and more devices connect to the internet, DDoS attacks have become more prevalent.  Election officials should be cognizant of all their office's internet-facing systems and recognize that those systems could become victims of a DDoS attack. For example, consider your voter registration system. It is likely accessible through your website for individuals to register to vote and for eligible voters to request an absentee ballot, view their sample ballot, or find their polling location. In addition, your staff and poll workers are using the same voter registration system for absentee/early voting and for normal business in the office. Election officials should recognize that the voter registration system is likely experiencing a higher number of requests and amount of internet traffic than usual the month prior to an election. If your voter registration system becomes unusually slow or inaccessible at any point, particularly outside of the month prior to an election, consider that this may be a DDoS attack and contact your trusted IT professionals immediately. Other internet-facing systems to consider in the elections realm include your website, where voters and the media expect to find accurate, reliable information. A DDoS attack on your website could make the site slow, unresponsive, or completely inaccessible. Also, keep in mind that a DDoS attack on any election results reporting sites you utilize would impact your ability to share voting results. 

 What you can do

Election officials should communicate with their trusted IT professionals about the risk and associated damage the organization may experience if a DDoS attack were to occur. Inquire about the measures your organization has proactively taken to defend against DDoS attacks. To mitigate any potential damage, here are a few best practices to consider:

• Consider using a vulnerability scanning service. CTAs look for gaps in security to plan their attacks, so it is imperative to identify these vulnerabilities and remediate them. Please visit https://www.cisa.gov/cyber-hygiene-services to learn more about CISA’s no-cost Cyber Hygiene Services.
• Implement a defense-in-depth strategy in your organization’s internet security. Strengthening your organization’s cyber posture with layers of protection is the best way to be proactive against any cyber attack. And while the following recommendations go beyond other DDoS-specific mitigations, they are an important part of a layered defense strategy:
  • An intrusion detection system (IDS), such as Albert Network Monitoring and Management. For more information, please visit https://www.cisecurity.org/services/albert-network-monitoring.
  • Endpoint protection, such as the no-cost Endpoint Detection and Response (EDR) solution offered by the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), provides device-level protection by blocking malicious activity and stopping an attack. For more information, please visit: https://www.cisecurity.org/insights/spotlight/cybersecurity-spotlight-endpoint-detection-and-response-edr.
  • Defense against malicious domains, such as the EI-ISAC’s no-cost Malicious Domain Blocking and Reporting (MDBR) solution, prevents information technology systems from connecting to known malicious domains. For more information, please visit: https://www.cisecurity.org/ms-isac/services/mdbr.
• Consider using a DDoS mitigation service provider. DDoS mitigation service providers take steps to detect attacks and mitigate any potential damage, such as loss of service, resulting from a DDoS attack. In fact, some DDoS mitigation services may be free to elections offices.
• Implement a Web Application Firewall (WAF). WAFs protect web applications, and the data within, by analyzing incoming internet traffic and blocking threats targeting the application. This solution is complementary to having a DDoS mitigation service provider.
• Address DDoS attacks in your organization’s Incident Response (IR) Plan. Facilitate DDoS-specific IR planning, which includes:
  • Saving contact information for your state/local IT department or internet service provider (ISP) in a location that would not be impacted by a DDoS attack. Printing out your IT department or ISP's contact information is a simple method for this.
  • Contacting your IT department or ISP and exploring whether they could activate traffic thresholds without impacting legitimate users and causing system issues.
• Provide training for employees. Educate your staff on DDoS attacks and provide instructions on what they should do if they suspect your organization is experiencing a DDoS attack.

For more information on DDoS attacks, download the MS-ISAC Guide to DDoS Attacks and visit CISA’s website to review their recommendations:

• https://www.cisecurity.org/insights/white-papers/ms-isac-guide-to-ddos-attacks
• https://www.cisa.gov/news-events/news/understanding-denial-service-attacks
• https://www.cisa.gov/resources-tools/resources/understanding-and-responding-distributed-denial-service-attacks.

Please contact us at [email protected] if you have any questions.