Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/30/2016
12:00 PM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Ultimate Guide To DDoS Protection: Strategies And Best Practices

To be in the best position to defend against DDoS, companies need to protect against a range of exploitable vulnerabilities -- and have the tools to detect and react to attacks.

Part two of a two-part series on DDoS attacks and prevention.

The unfortunate truth is that there is no way to bullet-proof your network to completely prevent DDoS attacks. But there are a number of things that you can do to minimize your exposure and maximize your defenses. 

1. Security-Smart Configurations and Settings

Understanding the different ways that attackers exploit systems is critical to ensure that all of your network systems and applications are configured to minimize vulnerabilities.

2. Stay Current with Patches and Updates

When a zero-day vulnerability is identified, vendors work as quickly as possible to develop and issue a patch or update to close the security hole. But the existence of the fix isn’t enough to protect you – you need to deploy it within your own network. The longer the lag time between the availability of the update and its application in your systems, the more vulnerable you are to attack via that particular vector.

3. Train Your End Users

In addition to protecting your organization from being hit by a DDoS attack, you also want to make sure that none of your systems are used as intermediaries or amplifiers for attacks on other networks. One way that perpetrators gain control of helper computers is to infect them with Trojans. In addition to technical solutions to prevent malware from coming into the system, it’s critical to train end users to recognize suspicious links.

4. Monitor Network Flows

Network flows provide up-to-the-minute information about the communications taking place on the network, including who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, timestamps, plus VLAN, TCP flags, etc. This data is widely available from devices like routers, switches, firewalls, load balancers, hypervisors, and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic. By analyzing flow data – NetFlow, Jflow, Cflow, IPFIX, or sFlow – network and security operations personnel can flag anomalies and identify suspicious behavior, including reconnaissance, botnets, and DDoS attacks. In fact, flow analysis is an important component of any organization’s security strategy.

Parsing DDoS Solutions

There are a number of solutions on the market to help organizations protect and defend themselves against DDoS attacks. It’s important to understand that these solutions fall broadly into two distinct categories: detection and mitigation.

Detection:  You want to make sure that all of your systems, including firewalls, IDS/IPS, etc., are configured to minimize exposure to DDoS attacks. But the fact is that many of these security tools simply aren’t the best solutions for this particular attack method. Because of the nature of DDoS traffic, you can’t rely on signatures or source details to identify an in-progress attack. Nor can you afford to wait until the traffic starts hitting critical mass – and affecting availability. That’s why having a flow-based solution that can detect an attack within seconds is vital.

Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service. In addition to handling the volume of traffic that today’s DDoS attacks create, mitigation solutions also need to be able to filter out the bad traffic while allowing legitimate traffic back on the network to maintain normal business operations.

The DDoS problem isn’t going away any time soon – in fact all signs point to increasing risk in the foreseeable future. In order to be in the best position to defend against DDoS, companies need to protect against the wide range of exploitable vulnerabilities and to have the tools to detect and react to attacks quickly and effectively, without affecting normal business operations.

[Read part one of the seriesUltimate Guide to DDoS Protection: DDoS is a Business Problem]

Related Content:

 

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kaiying Fu
50%
50%
Kaiying Fu,
User Rank: Author
10/11/2016 | 3:28:43 AM
Re: Most efficient
I completely agree, the scrubbing of traffic needs to be automated. There are a ton of other fixes people have that are inadequate when you think about how web attacks are often delivered in a cocktail. Moving away from shared hosting, trying their hands at iptables scripting, CDN load balancing, and as the author has pointed out, flow monitoring. These are all great to avoid downtime, but what about data theft and malware introduced through secondary attacks?

If automated traffic scrubbing is the most efficient in successful DDoS mitigation, and the problem is cost, we need innovation in how such services are provided. Yes it has traditionally been very costly. Depending on your business's needs however, paid protection could be more affordable if the price model switched from per feature pricing to traffic-based pricing.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2016 | 10:48:18 AM
Most efficient
"Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service."


I have found this to be the most efficient means of mitigating a ddos attack. Unfortunately it is also the most costly. Another method is utilizing your ISP at the top of the pipe but again depending on how large the attack it may not be sufficient.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/31/2016 | 8:13:58 AM
More work to do
It is good to see that there are legitimate strategies in place for organisations in dealing with DDOS attacks these days, but I feel like a lot more needs to be done. It's still far too common to try and use monstrous sites and services and to find them unusable because of a dedicated attack.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6486
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6487
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6488
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6489
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.
CVE-2012-6490
PUBLISHED: 2020-07-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2012. Notes: none.