Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Vincent Berk
Vincent Berk
Connect Directly
E-Mail vvv

Ultimate Guide To DDoS Protection: Strategies And Best Practices

To be in the best position to defend against DDoS, companies need to protect against a range of exploitable vulnerabilities -- and have the tools to detect and react to attacks.

Part two of a two-part series on DDoS attacks and prevention.

The unfortunate truth is that there is no way to bullet-proof your network to completely prevent DDoS attacks. But there are a number of things that you can do to minimize your exposure and maximize your defenses. 

1. Security-Smart Configurations and Settings

Understanding the different ways that attackers exploit systems is critical to ensure that all of your network systems and applications are configured to minimize vulnerabilities.

2. Stay Current with Patches and Updates

When a zero-day vulnerability is identified, vendors work as quickly as possible to develop and issue a patch or update to close the security hole. But the existence of the fix isn’t enough to protect you – you need to deploy it within your own network. The longer the lag time between the availability of the update and its application in your systems, the more vulnerable you are to attack via that particular vector.

3. Train Your End Users

In addition to protecting your organization from being hit by a DDoS attack, you also want to make sure that none of your systems are used as intermediaries or amplifiers for attacks on other networks. One way that perpetrators gain control of helper computers is to infect them with Trojans. In addition to technical solutions to prevent malware from coming into the system, it’s critical to train end users to recognize suspicious links.

4. Monitor Network Flows

Network flows provide up-to-the-minute information about the communications taking place on the network, including who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, timestamps, plus VLAN, TCP flags, etc. This data is widely available from devices like routers, switches, firewalls, load balancers, hypervisors, and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic. By analyzing flow data – NetFlow, Jflow, Cflow, IPFIX, or sFlow – network and security operations personnel can flag anomalies and identify suspicious behavior, including reconnaissance, botnets, and DDoS attacks. In fact, flow analysis is an important component of any organization’s security strategy.

Parsing DDoS Solutions

There are a number of solutions on the market to help organizations protect and defend themselves against DDoS attacks. It’s important to understand that these solutions fall broadly into two distinct categories: detection and mitigation.

Detection:  You want to make sure that all of your systems, including firewalls, IDS/IPS, etc., are configured to minimize exposure to DDoS attacks. But the fact is that many of these security tools simply aren’t the best solutions for this particular attack method. Because of the nature of DDoS traffic, you can’t rely on signatures or source details to identify an in-progress attack. Nor can you afford to wait until the traffic starts hitting critical mass – and affecting availability. That’s why having a flow-based solution that can detect an attack within seconds is vital.

Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service. In addition to handling the volume of traffic that today’s DDoS attacks create, mitigation solutions also need to be able to filter out the bad traffic while allowing legitimate traffic back on the network to maintain normal business operations.

The DDoS problem isn’t going away any time soon – in fact all signs point to increasing risk in the foreseeable future. In order to be in the best position to defend against DDoS, companies need to protect against the wide range of exploitable vulnerabilities and to have the tools to detect and react to attacks quickly and effectively, without affecting normal business operations.

[Read part one of the seriesUltimate Guide to DDoS Protection: DDoS is a Business Problem]

Related Content:


Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kaiying Fu
Kaiying Fu,
User Rank: Author
10/11/2016 | 3:28:43 AM
Re: Most efficient
I completely agree, the scrubbing of traffic needs to be automated. There are a ton of other fixes people have that are inadequate when you think about how web attacks are often delivered in a cocktail. Moving away from shared hosting, trying their hands at iptables scripting, CDN load balancing, and as the author has pointed out, flow monitoring. These are all great to avoid downtime, but what about data theft and malware introduced through secondary attacks?

If automated traffic scrubbing is the most efficient in successful DDoS mitigation, and the problem is cost, we need innovation in how such services are provided. Yes it has traditionally been very costly. Depending on your business's needs however, paid protection could be more affordable if the price model switched from per feature pricing to traffic-based pricing.
User Rank: Ninja
5/31/2016 | 10:48:18 AM
Most efficient
"Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service."

I have found this to be the most efficient means of mitigating a ddos attack. Unfortunately it is also the most costly. Another method is utilizing your ISP at the top of the pipe but again depending on how large the attack it may not be sufficient.
User Rank: Ninja
5/31/2016 | 8:13:58 AM
More work to do
It is good to see that there are legitimate strategies in place for organisations in dealing with DDOS attacks these days, but I feel like a lot more needs to be done. It's still far too common to try and use monstrous sites and services and to find them unusable because of a dedicated attack.

DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.