Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Proper DDoS Protection Requires Both Detective and Preventive Controls

Distributed denial-of-service attacks still plague the enterprise, but adding preventive measures can reduce their impact.

Joshua Goldfarb, Global Solutions Architect — Security

April 9, 2024

4 Min Read
DDoS Cyber Attack with technology, Internet, and network icons over a server datacenter background.
Source: Aleksey Funtap via Alamy Stock Photo

In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventive and detective controls. As the name suggests, preventive controls are designed to reduce the potential that a given threat will negatively affect a given environment.

Of course, preventive controls don't always work as designed, and some threats will always get through them. To supplement this protection, detective controls are also used. Detective controls identify security issues soon after they occur, so that they can be remediated before too much damage has occurred.

Using preventive and detective controls in tandem is a routine practice that is applied across many areas in the security space, including network security, application security, endpoint protection, identity and access management, and cloud security.

That is by no means an exhaustive list — this practice is applied in myriad areas within the security space. You can imagine my surprise, then, that one area is noticeably lacking the powerful combination of preventive and detective controls: distributed denial-of-service (DDoS) protection.

Why DDoS Is Still a Problem

DDoS is a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of businesses lose at least $120,000 due to DDoS attacks, while 15% of businesses lose at least $1 million. Even with the best DDoS protections in place, businesses still suffer from 30% to 75% exposure of their online services to DDoS, MazeBolt says. This means that DDoS is a serious problem confronting the industry — and one that is not getting the preventive controls it needs.

Perhaps that will surprise you, too. When it comes to DDoS, organizations focus mainly on detection and mitigation. They purchase DDoS mitigation solutions, but they don't give much thought to protecting the organization from attack in the first place. We as a profession don't seem to focus much on DDoS preventive controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest DDoS mitigation guidance.

It may seem odd, but historically, there are reasons for this, such as the difficulty in checking for vulnerabilities and susceptibility to DDoS in a nondisruptive manner.

5 Steps to Round Out DDoS Protection

So once an organization decides to take a more well-rounded approach to DDoS, what are some steps it should follow to ensure it is adequately protected? I've offered a few thoughts here.

1. Check for vulnerabilities. Organizations should ensure that they check for vulnerabilities and susceptibility to DDoS at layers 3, 4, and 7 of the OSI model. This is easier said than done, of course. This requires being nondisruptive in identifying vulnerabilities. Taking down the infrastructure in the name of DDoS security would not be a good thing.

2. Stay nondisruptive. No one needs their DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime, and customer satisfaction. There is a better way — namely, new nondisruptive, nonintrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risk.

3. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are missed is to know the environment well. This is the case regardless of how complex the environment is, and even if that environment involves hybrid and multicloud environments. Understanding the environment is the best way to eliminate blind spots. That, in turn, makes the vulnerability identification and remediation process far more thorough and effective.

4. Establish and follow a process. Organizations should have a process to document and prioritize vulnerabilities for remediation. This ensures that things do not fall through the cracks and reduces the potential for oversight and human error. Even with the best process, organizations will still need determination and follow-through to remediate the vulnerabilities they have identified. DDoS security is a marathon, not a sprint.

5. Iterate your security steps. DDoS security, like many areas within the security field, is not a one-time activity. Organizations need to continually test for new or persistent vulnerabilities within the infrastructure. They need to ensure that they are continually aware of changes to the environment so that they can retain the requisite level of understanding and knowledge of the environment. Organizations will also need to continually stick to and follow their process to ensure that vulnerabilities are remediated in a timely manner. Simply put, DDoS security is an effort that requires continuous attention.

Time for DDoS Preventive Controls

Like many areas in the security space, DDoS security leverages both preventive and detective controls — or at least it should. For a variety of reasons, our historical focus around DDoS has been primarily on detection and mitigation of DDoS attacks. We as a field are long overdue for leveraging preventive controls in the DDoS security area.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights