Architecture. To fortify resources against a DDoS attack, it is important to make the architecture as resilient as possible. Fortifying network architecture is an important step not just in DDoS network defense, but in ensuring business continuity and protection from any kind of outage or disaster situation.The following steps will help disperse organizational assets as to avoid presenting a single rich target to an attacker:
- Locate servers in different data centers.
- Ensure that data centers are located on different networks.
- Ensure that data centers have diverse paths.
- Ensure that the data centers, or the networks that the data centers are connected to, have no notable bottlenecks or single points of failure.
Hardware. Deploy appropriate hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Again, while bolstering resources will not prevent a DDoS attack from happening, doing so will lessen the impact of an attack.
Bandwidth. If affordable, scale up network bandwidth. For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary. That said, volumetric attacks are something of an arms race, and many organizations won’t be able or willing to pay for the network bandwidth needed to handle some of the very large attacks we have recently seen. This is primarily an option for very large organizations and service providers.
Outsourcing. There are several large providers that specialize in scaling infrastructure to respond to attacks. These providers can implement cloud scrubbing services for attack traffic to remove the majority of the problematic traffic before it ever hits a victim’s network. As with many of these remedies, the best time to fortify your defenses is not in the wake of an attack, but rather beforehand to ensure a quick and effective response.