Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Vincent Berk
Vincent Berk
Connect Directly
E-Mail vvv

Ultimate Guide To DDoS Protection: Strategies And Best Practices

To be in the best position to defend against DDoS, companies need to protect against a range of exploitable vulnerabilities -- and have the tools to detect and react to attacks.

Part two of a two-part series on DDoS attacks and prevention.

The unfortunate truth is that there is no way to bullet-proof your network to completely prevent DDoS attacks. But there are a number of things that you can do to minimize your exposure and maximize your defenses. 

1. Security-Smart Configurations and Settings

Understanding the different ways that attackers exploit systems is critical to ensure that all of your network systems and applications are configured to minimize vulnerabilities.

2. Stay Current with Patches and Updates

When a zero-day vulnerability is identified, vendors work as quickly as possible to develop and issue a patch or update to close the security hole. But the existence of the fix isn’t enough to protect you – you need to deploy it within your own network. The longer the lag time between the availability of the update and its application in your systems, the more vulnerable you are to attack via that particular vector.

3. Train Your End Users

In addition to protecting your organization from being hit by a DDoS attack, you also want to make sure that none of your systems are used as intermediaries or amplifiers for attacks on other networks. One way that perpetrators gain control of helper computers is to infect them with Trojans. In addition to technical solutions to prevent malware from coming into the system, it’s critical to train end users to recognize suspicious links.

4. Monitor Network Flows

Network flows provide up-to-the-minute information about the communications taking place on the network, including who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, timestamps, plus VLAN, TCP flags, etc. This data is widely available from devices like routers, switches, firewalls, load balancers, hypervisors, and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic. By analyzing flow data – NetFlow, Jflow, Cflow, IPFIX, or sFlow – network and security operations personnel can flag anomalies and identify suspicious behavior, including reconnaissance, botnets, and DDoS attacks. In fact, flow analysis is an important component of any organization’s security strategy.

Parsing DDoS Solutions

There are a number of solutions on the market to help organizations protect and defend themselves against DDoS attacks. It’s important to understand that these solutions fall broadly into two distinct categories: detection and mitigation.

Detection:  You want to make sure that all of your systems, including firewalls, IDS/IPS, etc., are configured to minimize exposure to DDoS attacks. But the fact is that many of these security tools simply aren’t the best solutions for this particular attack method. Because of the nature of DDoS traffic, you can’t rely on signatures or source details to identify an in-progress attack. Nor can you afford to wait until the traffic starts hitting critical mass – and affecting availability. That’s why having a flow-based solution that can detect an attack within seconds is vital.

Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service. In addition to handling the volume of traffic that today’s DDoS attacks create, mitigation solutions also need to be able to filter out the bad traffic while allowing legitimate traffic back on the network to maintain normal business operations.

The DDoS problem isn’t going away any time soon – in fact all signs point to increasing risk in the foreseeable future. In order to be in the best position to defend against DDoS, companies need to protect against the wide range of exploitable vulnerabilities and to have the tools to detect and react to attacks quickly and effectively, without affecting normal business operations.

[Read part one of the seriesUltimate Guide to DDoS Protection: DDoS is a Business Problem]

Related Content:


Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kaiying Fu
Kaiying Fu,
User Rank: Author
10/11/2016 | 3:28:43 AM
Re: Most efficient
I completely agree, the scrubbing of traffic needs to be automated. There are a ton of other fixes people have that are inadequate when you think about how web attacks are often delivered in a cocktail. Moving away from shared hosting, trying their hands at iptables scripting, CDN load balancing, and as the author has pointed out, flow monitoring. These are all great to avoid downtime, but what about data theft and malware introduced through secondary attacks?

If automated traffic scrubbing is the most efficient in successful DDoS mitigation, and the problem is cost, we need innovation in how such services are provided. Yes it has traditionally been very costly. Depending on your business's needs however, paid protection could be more affordable if the price model switched from per feature pricing to traffic-based pricing.
User Rank: Ninja
5/31/2016 | 10:48:18 AM
Most efficient
"Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service."

I have found this to be the most efficient means of mitigating a ddos attack. Unfortunately it is also the most costly. Another method is utilizing your ISP at the top of the pipe but again depending on how large the attack it may not be sufficient.
User Rank: Ninja
5/31/2016 | 8:13:58 AM
More work to do
It is good to see that there are legitimate strategies in place for organisations in dealing with DDOS attacks these days, but I feel like a lot more needs to be done. It's still far too common to try and use monstrous sites and services and to find them unusable because of a dedicated attack.

When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...