Distributed denial-of-service mitigation plans can not be ignored as the frequency and complexity of these attacks threaten more organizations. Today’s DDoS attacks mix brute force floods with application-layer attacks to maximize damage and evade detection.
DDoS attacks that use thousands of compromised systems or Web services can cause tremendous damage to businesses in terms of costs and reputation , and denial of services is increasingly a component of advanced targeted assaults. The good news is that you have a lot of tools at your disposal to minimize the impact of these types of attacks on customers and revenues.
The starting point to DDoS mitigation is making sure you have defined incident response processes with clear responsibilities in place that require cooperation across multiple groups. DDoS defense planning calls for security teams to join forces with network operations staff, server administrators and desktop support personnel -- as well as legal counsel and public relations managers.
Once a DDoS incident response plan is in-place, you can look for DDoS mitigation controls in four major areas, listed here in order of importance:
- Internet service providers. Most ISPs have “Clean Pipe” or DDoS mitigation services, usually at some uplift from standard bandwidth costs. ISP-based services will be effective enough for many small and medium-sized organizations, and meet their budgetary constraints. Don’t forget: cloud service providers and hosters are ISPs, too.
- DDoS as a service providers.If you have multiple ISPs, a third-party DDoS mitigation as a service provider may be a better option, although cloud-based services are usually more costly. By changing DNS or BGP routing to send attack traffic through the DDoS SaaS provider, you can filter attack traffic regardless of which ISP is delivering it to you.
- Dedicated DDoS mitigation appliances. You can deploy DDoS mitigation appliances at your Internet points of presence to protect servers and networks. However, brute force attacks may still consume all of your bandwidth – even if servers don’t crash, customers are still blocked from access.
- Infrastructure elements, such as load balancers, routers, switches and firewalls. Relying on your organization’s operational infrastructure to mitigate DDoS attacks is a losing strategy for all but the weakest attacks. However, these elements can play a role in a coordinated approach to DDoS mitigation.
Most organizations will need a mix of external services and on-premises DDoS mitigation capabilities. Perform a realistic assessment of your staff’s skill levels – if you have the IT security people in place to detect and analyze threats, start with on-premises DDoS mitigation and evolve your strategy to include external services. If you don’t have enough staff or the required skill sets, start with an external service and look at adding managed CPE (customer premises equipment) mitigation capabilities in the future.
Whatever architecture you end up choosing, test the DDoS mitigation controls at least twice per year. If you are using an external service provider, check the routing and DNS changes to make sure that traffic will flow to the external service without major disruption -- and that switching it back to direct routing works, as well. Network configurations and DNS routes are often changed during normal operations – you want to find that out before a real DDoS attack.
John Pescatore is director of emerging trends at SANs Institute. A former vice president and distinguished analyst at Gartner, Pescatore has over 30 years of experience in computer, network and information security. Prior to Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems and a security engineer for the U.S. Secret Service and the National Security Agency.
Find out how attackers are using Internet protocols to amplify DDoS attacks.