DDoS: 4 Best Practices for Prevention and Response

Defending Against DDoS Attacks
Generally speaking, organizations should start planning for DDoS attacks in advance. It is much harder to respond after an attack is already under way. While DDoS attacks can’t be prevented, steps can be taken to make it harder for an attacker to render a network unresponsive.
1
Architecture. To fortify resources against a DDoS attack, it is important to make the architecture as resilient as possible. Fortifying network architecture is an important step not just in DDoS network defense, but in ensuring business continuity and protection from any kind of outage or disaster situation.The following steps will help disperse organizational assets as to avoid presenting a single rich target to an attacker:
  • Locate servers in different data centers.
  • Ensure that data centers are located on different networks.
  • Ensure that data centers have diverse paths.
  • Ensure that the data centers, or the networks that the data centers are connected to, have no notable bottlenecks or single points of failure.
For an organization that depends on servers and Internet presence, it is important to make sure that resources are geographically dispersed and not located in a single data center.
If resources are already geographically dispersed, it is important to view each data center as having more than one pipe to Internet, and ensure that not all data centers are connected to the same Internet provider.
Overall, priorities for architecture should be geographic diversity, provider diversity, and elimination of bottlenecks. While these are best practices for general business continuity and disaster recovery, they will help ensure organizational resiliency in response to a DDoS attack.
2
Hardware.
 Deploy appropriate hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Again, while bolstering resources will not prevent a DDoS attack from happening, doing so will lessen the impact of an attack.
In particular, certain types of DDoS attacks have been in existence for quite some time, and a lot of network and security hardware is capable of mitigating them. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against layer 4 attacks (also known as protocol attacks) and application-layer attacks (such as Slowloris). Specialty DDoS mitigation appliances also can protect against these attacks.
Hardware upgrades are also effective against SYN flood attacks. Most modern hardware, network firewalls, web application firewalls, and load balancers, will generally have a setting that allows a network operator to start closing out TCP connections once they reach a certain threshold.
3
Bandwidth.
 If affordable, scale up network bandwidth. For volumetric attacks, the solution some organizations have adopted is simply to scale bandwidth up to be able to absorb a large volume of traffic if necessary. That said, volumetric attacks are something of an arms race, and many organizations won’t be able or willing to pay for the network bandwidth needed to handle some of the very large attacks we have recently seen. This is primarily an option for very large organizations and service providers.
In late September, the Krebs on Security blog was hit by an unusually large DDoS attack–double the size that had been previously seen by its hosting provider–according to a post on the site. A large part of the reason that the provider was able to hold off the attack for so long was because of the significant bandwidth available, which allowed the provider to absorb the attack while trying to mitigate it.
4
Outsourcing.
 There are several large providers that specialize in scaling infrastructure to respond to attacks. These providers can implement cloud scrubbing services for attack traffic to remove the majority of the problematic traffic before it ever hits a victim’s network. As with many of these remedies, the best time to fortify your defenses is not in the wake of an attack, but rather beforehand to ensure a quick and effective response.
An ISP can offer DDoS mitigation services that will help organizations respond in the wake of an attack. Even ISPs that don’t have a formal DDoS mitigation product should be able to specify the type assistance they would provide to their customers in the event of a DDoS attack.
On a separate front, there are providers who specifically work in DDoS mitigation. During an attack, these services reroute traffic destined for the victim’s network to the mitigation center where it is scrubbed, and legitimate traffic is then forwarded to the organization. These DDoS mitigation providers have the type of scalable and dynamic load balancing available to respond to the unprecedented levels of traffic that often result from a DDoS attack.

© 2021 Synnect. All right reserved.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.

Download Brochure

Please fill out this information in order to download our brochure.

Download Whitepaper

Please fill out this information in order to download our whitepaper.