In a recent white paper, "Understanding Mitigation for Modern DDoS Attacks," Nexusguard details the non-stop evolution of DDoS attacks and how corporate operations are being impacted. A far cry from yesterday's pranks and practical jokes, today's DDoS attacks are increasingly driven by ideological, political, and criminal motivations. Studying recent incidents, it becomes clear that attackers have become more determined and organized--and are wielding much more powerful, versatile, and cheaper arms.
To combat next-generation DDoS attacks, organizations can choose from a variety of DDoS mitigation tactics, including the following six:
Carrier-based solutions: ISPs are responsible for the pipes that carry network traffic and are generally the first line of defense against DDoS attacks. Through identifying anomalies in network traffic, ISPs can block malicious traffic from causing damage. However, when the attack is distributed among multiple ISPs, this can be difficult to coordinate. Furthermore, ISPs generally attempt to mitigate DDoS attacks with existing equipment, making it difficult for them to respond quickly to unexpected situations.
CDN-based solutions: Simple bandwidth flooding attacks are generally ineffective against content delivery network (CDN) operators, which have sufficient network infrastructure to absorb attack traffic. Organizations under attack will generally be billed for the malicious traffic, however. CDN operators also have limited experience in mitigating layer 7 attacks.
DNS-based solutions: Like CDNs, DNS service providers also have the infrastructure to mitigate flood traffic, and are especially effective against layer 3 and 4 attacks. Similarly, DNS service providers are not that effective against intelligent attacks, such as low bandwidth attacks.
Host-based solutions: Mitigating DDoS attacks through a hosting or colocation service provider allows a single contract and a single window of contact, with the added benefit of being cost effective. However, most often these anti-DDoS services are provided through a third-party contractor. In addition, most anti-DDoS solutions provided by hosting services are the most limited in effectiveness due to shared bandwidth and network security.
In-house security teams: Many corporations are tempted to take matters into their own hands, but grossly underestimate the related costs. While equipment with advanced network security features is readily available, they are expensive to both purchase and maintain. According to the Nexusguard white paper, the average ISP spends US$300,000 per year on hardware alone, with an additional $54,000 per year on software. The cost goes up even more when time and training are factored in--while the average IT team can understand the basics of DDoS attacks, professional network security requires specific skill sets and experience.
Outsourced specialist: For corporations looking for a more effective solution, offloading anti-DDoS operations to third-party specialists might be the best path to take. Besides saving on hardware and software maintenance fees--as well as training costs for in-house teams--working with an anti-DDoS service provider like Nexusguard also means that you're prepared for even layer 7 attacks. Nexusguard's team of security experts are always up to date when it comes to the latest vulnerabilities and security risks, and its highly customizable services can scale up or down according to clients' needs. For more information, please visit http://www.nexusguard.com.
Nexusguard is an industry-leading Internet security service provider, proven by years of experience mitigating thousands of attacks per month. Established in 2008, Nexusguard continues to provide innovative end-to-end, cloud-based Internet security solutions. By protecting clients against the ever-increasing and evolving multitude of Internet threats, Nexusguard's cloud-based security solutions empower clients around the globe with uninterrupted services. For more information, please visit www.nexusguard.com.