To be in the best position to defend against DDoS, companies need to protect against a range of exploitable vulnerabilities — and have the tools to detect and react to attacks.
Part two of a two-part series on DDoS attacks and prevention.
The unfortunate truth is that there is no way to bullet-proof your network to completely prevent DDoS attacks. But there are a number of things that you can do to minimize your exposure and maximize your defenses.
1. Security-Smart Configurations and Settings
Understanding the different ways that attackers exploit systems is critical to ensure that all of your network systems and applications are configured to minimize vulnerabilities.
2. Stay Current with Patches and Updates
When a zero-day vulnerability is identified, vendors work as quickly as possible to develop and issue a patch or update to close the security hole. But the existence of the fix isn’t enough to protect you – you need to deploy it within your own network. The longer the lag time between the availability of the update and its application in your systems, the more vulnerable you are to attack via that particular vector.
3. Train Your End Users
In addition to protecting your organization from being hit by a DDoS attack, you also want to make sure that none of your systems are used as intermediaries or amplifiers for attacks on other networks. One way that perpetrators gain control of helper computers is to infect them with Trojans. In addition to technical solutions to prevent malware from coming into the system, it’s critical to train end users to recognize suspicious links.
4. Monitor Network Flows
Network flows provide up-to-the-minute information about the communications taking place on the network, including who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, timestamps, plus VLAN, TCP flags, etc. This data is widely available from devices like routers, switches, firewalls, load balancers, hypervisors, and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic. By analyzing flow data – NetFlow, Jflow, Cflow, IPFIX, or sFlow – network and security operations personnel can flag anomalies and identify suspicious behavior, including reconnaissance, botnets, and DDoS attacks. In fact, flow analysis is an important component of any organization’s security strategy.
Parsing DDoS Solutions
There are a number of solutions on the market to help organizations protect and defend themselves against DDoS attacks. It’s important to understand that these solutions fall broadly into two distinct categories: detection and mitigation.
Detection: You want to make sure that all of your systems, including firewalls, IDS/IPS, etc., are configured to minimize exposure to DDoS attacks. But the fact is that many of these security tools simply aren’t the best solutions for this particular attack method. Because of the nature of DDoS traffic, you can’t rely on signatures or source details to identify an in-progress attack. Nor can you afford to wait until the traffic starts hitting critical mass – and affecting availability. That’s why having a flow-based solution that can detect an attack within seconds is vital.
Mitigation: Your detection solution needs to be able to trigger automated mitigation, directing traffic to a scrubber appliance or service. In addition to handling the volume of traffic that today’s DDoS attacks create, mitigation solutions also need to be able to filter out the bad traffic while allowing legitimate traffic back on the network to maintain normal business operations.
The DDoS problem isn’t going away any time soon – in fact all signs point to increasing risk in the foreseeable future. In order to be in the best position to defend against DDoS, companies need to protect against the wide range of exploitable vulnerabilities and to have the tools to detect and react to attacks quickly and effectively, without affecting normal business operations.
[Read part one of the series: Ultimate Guide to DDoS Protection: DDoS is a Business Problem]
Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio