Protection against DDoS attacks in the enterprise

Many of the world’s most popular websites have been the subject of distributed denial-of-service attacks (DDoS) in recent years. DDoS attacks strain a host’s Internet access, operating system, or services with more requests than they can handle. Regular requests cannot be answered or only very slowly.

In recent years, the number of such attacks has increased sharply: In the meantime, distributed denial-of-service attacks have become one of the biggest threats to the security landscape due to the increased spread of botnets.

The attacks are getting smarter

The distributed denial-of-service attacks currently increase annually by up to 45 percent. The following remarks show how companies can hedge.

Recently, researchers have not only found out that DDoS attacks are taking place more frequently, but also that their bandwidth and duration are increasing. Ten years ago, when 50 Gbps attacks (the abbreviation Gbps stands for Gigabit per second) were observed only a few times a year, these attacks are now taking place almost every week.

In addition, the attacks become smarter as they now run more controlled. Instead of firing only a prepared flood of data, the criminals start an operation and can then adjust the type of attack or target depending on the desired outcome.

The Impact on Business: You’ll have to reckon with missing revenue from downtime and additional costs associated with IT analytics and recovery. Other risks include the loss of employee benefits, penalties for missed service agreements and reputation damage.

The development of DDoS attacks underlines the urgency for companies to implement a comprehensive security strategy. You can take proactive steps to strengthen the defense or generally reduce the risk of attack. However, rather than attempting to remove all DDoS traffic, a DDoS protection strategy should attempt to maintain critical services, and do so with minimal disruption.

Meaningful security measures

At the beginning are the assessment of the network environment and the development of a response plan. This plan should include backup and recovery strategies and additional monitoring. Proactive protection also requires the following approaches:

• Security measures before firewall / IPS,
• Defense mechanisms at the web application level,
• implementing a multi-layered defense strategy,
• the protection of DNS servers and other critical infrastructures as well
• Establishing visibility and control of the IT infrastructure.

Firewall / IPS defenses: Often, companies are already armed with a variety of security solutions, but they are almost powerless against high-volume DDoS attacks, which also have the intelligence to do so.

DDoS defense at the web application level: Many DDoS attacks make use of permitted commands and requests to websites or web applications. The only way to find out if these requests come from real users or infected devices is to use a challenge-response system. With its help, a request to the client can be sent depending on thresholds. Provided it answers correctly, access to the required service can be granted. Otherwise, the query is rejected and the IP address is blocked.

Multi-Layer Defense: Typical firewall systems are able to detect DoS and DDoS attacks and – if they have the low bandwidth – also defend them. Companies should rely on appliances with a multi-layered defense model, which relieves the available resources significantly.

A multi-layered strategy is critical to providing reliable protection against DDoS attacks. It includes dedicated on-premise solutions that protect against threats within the network. These solutions should provide anti-spoofing, host authentication techniques, packet-aware and application-specific limits, state, and protocol verification, baselining, hibernation, blacklists and whitelists, and location-based access control lists.

When organizations choose DDoS solutions, they need to make sure they do not just detect application-layer DDoS attacks and block generic or custom DDoSAttack techniques and patterns. They must also have the ability to detect acceptable and abnormal patterns of behavior as a function of traffic.

This traffic profiling is the key to detecting threats, limiting them quickly, and reducing false positives at the same time. For even more efficient protection, companies should also make sure that DDoS solutions include advanced virtualization and location-aware features.

Securing DNS servers: As part of a defensive overall strategy, businesses need to protect their critical assets and infrastructure. Many companies have their own DNS servers, which are usually attacked first in an attack. Once the DNS servers are attacked, attackers can easily disable the Web site, creating a denial-of-service situation. Modern DNS security solutions protect against transaction ID, UDP source port, and randomization mechanism intrusions.

Visibility and Control: Companies also need to find a way to monitor their systems before, during and after an attack. A holistic view of the IT environment gives administrators the ability to quickly detect network traffic and attack alerts, minimize risk, and implement preventative techniques in a timely manner. The best defense involves constant and automated monitoring with alarm systems that trigger the emergency plan when they detect DDoS traffic.