DDoS (Distributed Denial of Service) attacks have been around for decades. Sadly, they show no signs of going away. Even more, unfortunately, their implications are becoming more serious as businesses become increasingly dependent on online services.
This means that DDoS attack mitigation is a vital part of cybersecurity. Here is a quick guide to what you need to consider when implementing it.
To understand the basics of DDoS attack mitigation, you first need to understand the basics of DDoS. Modern DDoS attacks are generally based on a combination of power and strategy.
The power often comes from botnets. These are groups of devices controlled by a single attacker often without their user’s knowledge. Botnets used for small-scale DDoS attacks (e.g. on SMBs) may have several hundred devices in them. Botnets used for larger DDoS attacks (e.g. on enterprises) may have several million.
The strategy comes from the attackers. Essentially, they need to figure out the weaknesses of a network and use the most appropriate method to exploit them. If they cannot get any information on a network, they can use statistics to guide their attacks.
Likewise, however, businesses can use statistics gained from DDoS attacks in general to guide their DDoS attack mitigation strategies. In fact, businesses need to do exactly that as DDoS attack strategies are continually developing.
Most DDoS attacks are carried out at layers 3 (network) and 4 (transport) of the OSI 7-layer model. Attacks at layers 6 (presentation) and 7 (application) are less common but still a real threat.
Attacks at layers 3 and 4 are generally known as infrastructure attacks. Attacks at levels 6 and 7 are generally known as application attacks. An effective DDoS attack mitigation strategy has to protect against both types of attacks.
A WAF can do a lot to protect your network against application-level DDoS attacks. WAFs perform essentially the same function as a regular firewall. There are, however, three important differences between WAFs and standard firewalls.
The first is that WAFs are application-layer defenses whereas regular firewalls are infrastructure-layer defenses. The second is that WAFs sit well inside the network whereas regular firewalls sit at its external boundary. The third is that WAFs assess the behavior of traffic whereas firewalls assess its characteristics.
Content delivery networks are exactly what their name suggests. They are distributed networks of servers used to host content as close as possible to its user base. From a DDoS attack mitigation perspective, they should ideally be located near large internet exchanges.
In business-as-usual situations, content delivery networks allow for faster delivery of content. This is because distances matter, even in cyberspace. In the event of a DDoS attack, using a CDN brings two benefits.
Firstly, the distributed nature of CDNs makes it much harder for attackers to cripple them completely. They may bring down one part of the network or slow down all of it. They are, however, very unlikely to bring it all down.
Secondly, the CDN essentially acts as a shield to protect resources closer to the inside of the network. It can therefore help to hold DDoS attackers at bay until you are ready to deal with them.
At a minimum, you need a robust array of firewalls, load-balancers, and intrusion prevention systems (IPS). These should all operate on a zero-trust basis. In other words, traffic should have to demonstrate clearly that it is safe before it is allowed through.
To make this work in practice, you may need to implement blackholing. This means diverting questionable traffic into a black hole for further analysis. If it is proven safe, it can be sent back on its way. If it’s not, it will be discarded.
Blackholing will, of course, delay some legitimate traffic. If, however, you manage your security settings carefully, the disruption should be minimal. Overall, it will be a small price to pay for the extra security.
Network security and traffic management are effectively two sides of the same coin. The better you understand and manage your legitimate traffic, the more easily you can spot malicious traffic.
On the flip side, the measures you take in the context of DDoS attack mitigation can also prove useful for managing your own network. For example, traffic-shaping and rate-limiting can also be applied if internal demand peaks unexpectedly.
There are now all kinds of dedicated DDoS attack mitigation solutions available. These include software solutions, cloud solutions, and third-party-run scrubbing centers. They can all play a role in both cleaning up malicious traffic and identifying its sources. That being so, it can be advisable to sign up for more than one solution for maximum protection.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.