Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/30/2016
12:00 PM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Ultimate Guide To DDoS Protection: Strategies And Best Practices

To be in the best position to defend against DDoS, companies need to protect against a range of exploitable vulnerabilities -- and have the tools to detect and react to attacks.

Part two of a two-part series on DDoS attacks and prevention.

The unfortunate truth is that there is no way to bullet-proof your network to completely prevent DDoS attacks. But there are a number of things that you can do to minimize your exposure and maximize your defenses. 

1. Security-Smart Configurations and Settings

Understanding the different ways that attackers exploit systems is critical to ensure that all of your network systems and applications are configured to minimize vulnerabilities.

2. Stay Current with Patches and Updates

When a zero-day vulnerability is identified, vendors work as quickly as possible to develop and issue a patch or update to close the security hole. But the existence of the fix isn’t enough to protect you – you need to deploy it within your own network. The longer the lag time between the availability of the update and its application in your systems, the more vulnerable you are to attack via that particular vector.

3. Train Your End Users

In addition to protecting your organization from being hit by a DDoS attack, you also want to make sure that none of your systems are used as intermediaries or amplifiers for attacks on other networks. One way that perpetrators gain control of helper computers is to infect them with Trojans. In addition to technical solutions to prevent malware from coming into the system, it’s critical to train end users to recognize suspicious links.

4. Monitor Network Flows

Network flows provide up-to-the-minute information about the communications taking place on the network, including who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, timestamps, plus VLAN, TCP flags, etc. This data is widely available from devices like routers, switches, firewalls, load balancers, hypervisors, and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic. By analyzing flow data – NetFlow, Jflow, Cflow, IPFIX, or sFlow – network and security operations personnel can flag anomalies and identify suspicious behavior, including reconnaissance, botnets, and DDoS attacks. In fact, flow analysis is an important component of any organization’s security strategy.

Parsing DDoS Solutions

There are a number of solutions on the market to help organizations protect and defend themselves against DDoS attacks. It’s important to understand that these solutions fall broadly into two distinct categories: detection and mitigation.

Detection:  You want to make sure that all of your systems, including firewalls, IDS/IPS, etc., are configured to minimize exposure to DDoS attacks. But the fact is that many of these security tools simply aren’t the best solutions for this particular attack method. Because of the nature of DDoS traffic, you can’t rely on signatures or source details to identify an in-progress attack. Nor can you afford to wait until the traffic starts hitting critical mass – and affecting availability. That’s why having a flow-based solution that can detect an attack within seconds is vital.

Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service. In addition to handling the volume of traffic that today’s DDoS attacks create, mitigation solutions also need to be able to filter out the bad traffic while allowing legitimate traffic back on the network to maintain normal business operations.

The DDoS problem isn’t going away any time soon – in fact all signs point to increasing risk in the foreseeable future. In order to be in the best position to defend against DDoS, companies need to protect against the wide range of exploitable vulnerabilities and to have the tools to detect and react to attacks quickly and effectively, without affecting normal business operations.

[Read part one of the seriesUltimate Guide to DDoS Protection: DDoS is a Business Problem]

Related Content:

 

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kaiying Fu
50%
50%
Kaiying Fu,
User Rank: Author
10/11/2016 | 3:28:43 AM
Re: Most efficient
I completely agree, the scrubbing of traffic needs to be automated. There are a ton of other fixes people have that are inadequate when you think about how web attacks are often delivered in a cocktail. Moving away from shared hosting, trying their hands at iptables scripting, CDN load balancing, and as the author has pointed out, flow monitoring. These are all great to avoid downtime, but what about data theft and malware introduced through secondary attacks?

If automated traffic scrubbing is the most efficient in successful DDoS mitigation, and the problem is cost, we need innovation in how such services are provided. Yes it has traditionally been very costly. Depending on your business's needs however, paid protection could be more affordable if the price model switched from per feature pricing to traffic-based pricing.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2016 | 10:48:18 AM
Most efficient
"Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service."


I have found this to be the most efficient means of mitigating a ddos attack. Unfortunately it is also the most costly. Another method is utilizing your ISP at the top of the pipe but again depending on how large the attack it may not be sufficient.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/31/2016 | 8:13:58 AM
More work to do
It is good to see that there are legitimate strategies in place for organisations in dealing with DDOS attacks these days, but I feel like a lot more needs to be done. It's still far too common to try and use monstrous sites and services and to find them unusable because of a dedicated attack.

 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...