Nine Tips for Agile DDoS Protection
DDoS attacks are increasing and evolving, so CIOs should take intelligence-driven approaches to combat them using these tips to protect their networks.
Ask yourself: Are you dependent on IaaS/PaaS for application development and deployment? Is your marketing and sales software built on a SaaS-based technology stack? How many web APIs are embedded in your critical applications? Then map out your Internet-traffic dependencies.
One of the quickest ways a DDoS attacker can knock you offline is to disrupt DNS. Keep a close eye on DNS traffic activity for unusual changes, and make sure your DNS provider is both resilient and prepared.
Detection that is independent from mitigation technology ensures that your teams always maintain visibility. Otherwise, when you start dropping attack traffic, you also start losing real-time insight.
Independent detection can also ensure that you’re not overly dependent on one technique or vendor for your entire DDoS defense strategy.
A unified detection approach enables you to use multiple mitigation techniques, which can vary from simple and inexpensive to sophisticated and costly. Choose according to the type and scale of attack. Try Remote Triggered Black Hole (RTBH), Flowspec and on-premises or public cloud-based commercial mitigation products and services.
Network data is big data, so you must have visibility that scales. Networks can generate millions to billions of network traffic flow records daily.
DDoS attacks generate far higher than average unique traffic flows. This means the network traffic flow records upon which detection products rely can spike to huge numbers. If your detection technology can’t handle that rate, then you will lose visibility and accuracy.
Gone are the days when traffic scrubbing can only be done in expensive appliances. Many digital businesses take a hybrid cloud approach with both on-premises and cloud services, especially to deal with attacks that exceed total direct Internet connection capacity.
Most DDoS attacks come in at under 20G bps. With 10G bps transit links costing less than $3K per month, it makes sense to invest in more inter-connectivity for your DDoS protection portfolio to more easily weather garden variety attacks.