There are many things that can be done with existing network infrastructure to protect against network-layer attacks. Network equipment, which is already heavily taxed with production traffic, is vulnerable to minimal increases in traffic, causing availability disruptions. AlgoSec, a leading provider of network security policy management, offers five tips for defending against a DDoS attack.
Click through for five tips for defending against a DDoS attack, as identified by AlgoSec, a network security policy management provider.
It starts with a robust firewall clearly defining the organization’s perimeter network, which many organizations do not deploy appropriately. A lot of times organizations have the firewall infrastructure deployed, yet they do not have the supporting security governance in place, which clearly defines the delineation between trusted and untrusted networks. Maintaining a clearly defined perimeter allows organizations to appropriately deploy security controls to mitigate attacks such as DDoS.
Know how many connections your database can hold without dying. You also want to know if you have the opportunity to failover or cluster websites, DNS, etc. to push the load of traffic to other sites or distribute the traffic to where you want it. Knowing what you have in your arsenal will come in handy when you’re attacked. You can also deploy on-premise devices that are primarily used to protect your network and applications against a DDoS attack. These devices inspect the traffic coming into your network and mitigate bad traffic once it is identified; however, the issue here has to do with what happens when the load is too much for that system, the routers and/or your Internet connection.
If you are concerned that your current infrastructure cannot handle a DDoS attack, then it is very important to get help. One possible option is to partner with your ISP since these attacks have to go over their network infrastructure. Your ISP may have services available to block or shun specific IP addresses from hitting your network, which doesn’t provide a complete solution, but it can greatly help in mitigating the DDoS threat.
Firewalls and other security products are essential elements of a layered-defense strategy; however, issues they were designed to resolve or mitigate might not not directly relate to DDoS attacks. Firewalls address fundamental network security challenges such as zoning and traffic inspection, but they do not address a fundamental target of DDoS attacks: network availability.
Often, when it comes to protecting against a DDoS attack, many enterprises have a false sense of security. Organizations believe that they have secured their key services against attacks by deploying firewalls in front of their servers; however, the truth is that a multi-layered approach is needed, requiring security controls deployed at various points within the application flow.
Partner with a scrubbing facility that allows you to route over to them either by DNS redirects or BGP changes. The scrubbing facility can essentially clean DDoS traffic by using a variety of DDoS mitigation systems and techniques before sending “clean” traffic back to you. These companies often offer monitoring of DDoS traffic that gives you early warning signs that something bad might be lurking.