Problem solve Get help with specific problems with your technologies, process and projects.

Is it possible to prevent DDoS attacks?

A distributed denial-of-service (DDoS) attack can consume all your network bandwidth. Learn how to prevent a DDoS attack in this expert response.

I recently read that certain industries – including the one I work in – are more likely than others to be targeted...

by a DDoS attack. Can you give me some tips on how to prevent DDoS attacks?

Distributed denial-of-service (DDoS) attacks are an insidious foe to online retailers and others who depend upon the availability of their websites for critical business functions. For example, the damage caused by the DDoS attacks that Anonymous waged against several major sites this summer was measured in the thousands of dollars per hour. These attacks are also extremely difficult to defend against because of their distributed nature. It is difficult to differentiate legitimate Web traffic from requests that are part of the DDoS attack.

There are some countermeasures you can take to help prevent a successful DDoS attack. One of these is the implementation of intrusion prevention systems (IPSes) with DDoS detection capability, but the effectiveness of this approach is limited. Even the best IPS technology is only marginally effective against DDoS attacks, and it is often possible for those waging the attack to consume all available bandwidth into your network. Whether the attacker swamps your server or your Internet pipe, the effect is the same: Users are unable to access resources on your network.

The most effective (and it’s not all that effective!) way to defend your network against DDoS activity is to partner with your Internet service provider (ISP) to provide clean bandwidth to your network. ISPs are, without a doubt, the experts in DDoS mitigation and are uniquely positioned to protect their customers' network against malicious traffic. ISPs can detect and filter out potential DDoS packets before they reach your border, preventing such attacks from consuming all of your available bandwidth.

Unfortunately, while ISP partnerships are effective, there is no silver bullet for guarding against DDoS attacks. That’s the reason we continue to see news stories about hacker groups successfully waging these attacks against major online sites. If a foolproof mitigation strategy existed, these sites would certainly deploy it!

Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

This was last published in March 2012

Dig Deeper on DDoS attack detection and prevention



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Nice article. I was thinking we could join our knowledge to help our users better understand ddos mitigation.


Hrms, not quite what I was expecting.  I know one tactic that some companies may use involves setting a honeypot, that they can then use deep packet inspection on to identify real malicious attacks, and then funnel those types of attacks to one place, and hopefully removing that load from the rest of the network.

I wish I understood better how that worked at more than a theoretical level though.
As the article says, one cannot prevent the attacker from launching the attacks but can employ various measures to detect and filter them out.
I don't think you can really stop it. You can set up a diversion like the honeypot method mentioned above. I have heard some companies have had success with this method.