Okay so if you’ve read Part 1 of this blog series, you now know what DDoS is (and if you don’t, you’re on the wrong site!). Now what? Well now we start the phase of defending against these attacks. The first thing you need to look at is your infrastructure and determine what tools you currently have in your toolbox that might be able to defend against it.
- Do you have an IPS with DDoS signatures enabled?
- Is your router/firewall configured with rate limiting?
- Should you consider blocking certain countries on your edge?
- And many more…
There are many things that can be done with existing network equipment to protect against network layer attacks. If you know that your equipment can barely handle the current production load then being hit with a small DDoS is going to tip you over.
From an application layer perspective, know where you weak points are. How many connections can you database hold without dying? Do you have the opportunity to failover or cluster websites, DNS, etc to push the load of traffic to other sites or distribute the traffic to where you want it?
Knowing what you currently have in your arsenal can really come in handy when you’re attacked later. Also, there are on site or premise devices that are strictly there to protect your network and applications against DDoS attacks. These are looking at the traffic coming into your network and will start mitigating once bad traffic is identified. The problem here is what happens when the load is too much for that system, the routers or your internet connection? I’m glad you asked.
Some options to consider:
- Partner with Your ISP – Once you’ve done your due diligence on verifying what you own internally, it might be time to understand how third parties can extend this protection. If you can’t handle a DDoS with your current infrastructure it’s very important to reach out for help. One of the ways of doing this is partnering with your ISP and attempting to get assistance upstream from them. Since these attacks have to come over their network they sometimes have the capability to block certain IP addresses from ever hitting your network. This can become like playing whack-a-mole if it’s based solely off IP address, but it’s something to keep in your back pocket.
- Examine CDN Services – If you’re a large company and are using CDNs (Content Distribution Networks) to help get your site out to the world more quickly and efficiently, it might be worth taking a look at services they offer. Since these services are meant to return any traffic sent to them, many times they have the ability to absorb simple DDoS attacks by design, but they don’t cover everything.
- Scrub Your Traffic – The last option is to partner with a scrubbing facility that allows you to route traffic over to them either by DNS redirects or BGP changes. Doing this allows you to have your dirty DDoS traffic scrubbed clean by going through these partners using a plethora of DDoS mitigation systems and techniques before having the clean and happy traffic sent back to you. Many of these companies offer monitoring of DDoS traffic that give you early warning signs that something evil might be coming. This part of the service, either owned by you, or as a third party is very important.
The last thing you want is to not know you were slowly being attacked until it’s too late. You’ll never get those 15 minutes back. Next we’ll examine some Do’s and Don’ts when it comes to securing your network from DDoS attacks.
Subscribe to Blog
Receive notifications of new posts by email.