Sign In

Communications of the ACM

ACM News

U.S. HHS Battles DDoS

View as: Print Mobile App Share:
The attackers did not retrieve any information, although they did try to disrupt HHS networks to undermine the agency's response to the coronavirus.

How did the U.S. Department of Health and Human Services protect its networks from a Distributed Denial of Service attack earlier this year?

Credit: Cybercrime Magazine

On March 15th, criminal hackers launched a Distributed Denial of Service (DDoS) attack against the U.S. Department of Health and Human Services (HHS) computer networks, in an attempt to slow its systems amidst its response to the coronavirus, according to ABC News.

HHS was ready for them.

"HHS has an IT infrastructure with risk-based security controls continuously monitored to detect and address cybersecurity threats and vulnerabilities," says Carla L. Daniels, an HHS public affairs specialist.

"On Sunday, March 15th, we became aware of a significant increase in activity on HHS cyberinfrastructure and are fully operational as we actively investigate the matter. Early on, while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure," says Daniels.

According to Bloomberg, the attackers did not retrieve any information, although they did try to disrupt HHS networks to undermine its response to the coronavirus. The attack did not degrade HHS network performance either, according to Bloomberg.

While we don't know precisely how HHS prepared for the cyberattack, we can get a good idea of how agencies like it typically do.

The HHS servers received millions of hits that Sunday, according to Bloomberg, which criminal hackers intended to slow server response capabilities or shut the servers down altogether. A DDoS attack works by using bots—systems under the control of an attacker—to send so many requests to the servers that they cannot respond to them. The flood of activity can make servers unavailable for legitimate traffic, or even cause the servers to crash.

Part of HHS cyber-readiness comes from the Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity component of the U.S. Department of Homeland Security (DHS). CISA uses several measures to protect HHS networks, which were in effect at the time of the DDoS attack.

CISA spokesperson Sara Sendak offered the following at the time of the attack: "CISA has taken a number of steps over the last several weeks to increase cybersecurity preparedness across federal civilian agencies, including enhanced monitoring, issuing recommendations as agencies shift to telework, and identifying and protecting particularly important systems supporting COVID response efforts. We're confident that the measures we've all put into place are sufficient, and we will stay on the lookout for and defend against malicious activity."

Regarding the attack on HHS, Sendak said, "CISA will continue to support our partners at HHS as they protect their IT systems."

John Pescatore, director of emerging security trends for the SANS Institute, the largest source for information security training and security certification in the world, was happy to share his insights on how HHS could have defended its networks (although the Institute does not have any inside information on what HHS did to mitigate the DDoS attack).

According to Pescatore, one method Federal agencies can and do use is related to the U.S. Government Trusted Internet Connections (TIC) initiative, which unites qualified ISPs to provide secure, reliable Internet service to government agencies. "Using a TIC service provider for Internet services guarantees an agency will get a standard level of secure Internet connectivity and a consistent level of incident reporting to support federal government security dashboard needs," says Pescatore. ATT, Verizon, and CenturyLink are the ISPs that offer TIC services, he adds.

Some government agencies use the DDoS filtering services that ISPs provide to filter out DDoS attack traffic in the cloud. "Other government agencies have procured DDoS detection and mitigation appliances and installed them at their datacenters to protect critical services," says Pescatore.

There are approaches in the FedRAMP program to mitigate DDoS attacks against specific applications. The FedRAMP program promotes the adoption of secure cloud services across the Federal government by providing a standardized approach to security and risk assessment, according to, which . certifies cloud service providers that offer cloud applications.

According to Pescatore, "In the past few years, more and more government agencies have moved to use FedRAMP-certified cloud service providers to run email, web servers, and other applications from the cloud. All of those cloud service providers have built-in DDoS protection; if DDoS stops those services, cloud service provider revenue stops."

A proactive response is another likely cyber-remedy for HHS. Agencies that are watchful can anticipate coming DDoS attacks, because cybercriminals scan potential victim's networks to prepare their attacks. By making themselves aware of the scans, agencies can get ready, too.

"When you find you're being scanned, you can do out-of-cycle (unscheduled) backups and notify your response team to get ready in case a DDoS attack does happen," says Pescatore. You also can flip the switch on your provider to start scrubbing out the DDoS traffic once you detect an attack.

Mission-critical agencies like HHS are typically doing all of these things to counter DDoS attacks, according to Pescatore.

Beyond these measures, an agency could be using load balancing, according to Mark Chaplin, principal of the Information Security Forum (ISF), a non-profit dedicated to investigating, clarifying, and resolving key issues in information security and risk management. Says Chaplin, HHS "could have extensive load balancing capabilities to absorb high-volume DDoS attacks."

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account