Nine Tips for Agile DDoS Protection

Karen A. Frenkel Avatar

Updated on:

Nine Tips for Agile DDoS Protection

Nine Tips for Agile DDoS ProtectionNine Tips for Agile DDoS Protection

DDoS attacks are increasing and evolving, so CIOs should take intelligence-driven approaches to combat them using these tips to protect their networks.

Understand Your Digital Supply ChainUnderstand Your Digital Supply Chain

Ask yourself: Are you dependent on IaaS/PaaS for application development and deployment? Is your marketing and sales software built on a SaaS-based technology stack? How many web APIs are embedded in your critical applications? Then map out your Internet-traffic dependencies.

Don't forget about DNSDon’t forget about DNS

One of the quickest ways a DDoS attacker can knock you offline is to disrupt DNS. Keep a close eye on DNS traffic activity for unusual changes, and make sure your DNS provider is both resilient and prepared.

Grant Your Detection Its IndependenceGrant Your Detection Its Independence

Detection that is independent from mitigation technology ensures that your teams always maintain visibility. Otherwise, when you start dropping attack traffic, you also start losing real-time insight.

Praise for Independent DetectionPraise for Independent Detection

Independent detection can also ensure that you’re not overly dependent on one technique or vendor for your entire DDoS defense strategy.

Diversify Your MitigationDiversify Your Mitigation

A unified detection approach enables you to use multiple mitigation techniques, which can vary from simple and inexpensive to sophisticated and costly. Choose according to the type and scale of attack. Try Remote Triggered Black Hole (RTBH), Flowspec and on-premises or public cloud-based commercial mitigation products and services.

Deal With Big Data RealityDeal With Big Data Reality

Network data is big data, so you must have visibility that scales. Networks can generate millions to billions of network traffic flow records daily.

Traffic FlowTraffic Flow

DDoS attacks generate far higher than average unique traffic flows. This means the network traffic flow records upon which detection products rely can spike to huge numbers. If your detection technology can’t handle that rate, then you will lose visibility and accuracy.

Think Hybrid CloudThink Hybrid Cloud

Gone are the days when traffic scrubbing can only be done in expensive appliances. Many digital businesses take a hybrid cloud approach with both on-premises and cloud services, especially to deal with attacks that exceed total direct Internet connection capacity.

Don't Neglect Inter-ConnectivityDon’t Neglect Inter-Connectivity

Most DDoS attacks come in at under 20G bps. With 10G bps transit links costing less than $3K per month, it makes sense to invest in more inter-connectivity for your DDoS protection portfolio to more easily weather garden variety attacks.

Karen A. Frenkel Avatar