All organizations with an Internet presence should worry about Distributed Denial-of-Service (DDoS) attack – some more than others. It is a fact of life that the Internet brings all sorts of benefits to organisations but also a huge amount of risks. DDoS attack protection should be at the top of the list of any company with business critical applications accessible on the Internet.
According to Symantec, attackers can now rent Distributed Denial-of-Service (DDoS) attack services for as little as $5. The largest DDoS attack can reach more than 300 Gbps in traffic volume with the rising cost to businesses globally climbing to hundreds of millions every year. Gartner forecasts that DDoS will continue to be a major issue for ecommerce infrastructures in the near and long term future. Planning ahead and re-assessing your current DDoS posture is a must.
Many products claim to give organizations the ultimate protection against DDoS. Some vendors are good at mitigating certain types of DDoS, other vendors provide a truly complete cloud and on premises solution to keep your digital infrastructure and apps safe 24/7.
It can be a stressful experience when under a DDoS where network devices are failing under strain. Best to plan before the attack instead of patching things during an ongoing assault. By planning ahead and putting in place a defense in depth design and resilient digital infrastructure, organizations can be confident that they will deal with the most sophisticated DDoS attacks.
DDoS Defense in Depth Architecture
Having designed and implemented several network and security systems to defend against the most sophisticated DDoS assaults, I strongly recommend a defense in depth approach using a multi-tier protection.
Tier 1 — DDoS Network Defense Layer
The first tier focus is at the network layer only. The primarily protection target is at L3 and L4 of the OSI. No need to dive deep in the packet inspection, this layer should deal with the detection of known botnets IPs, bad IP sources, bad IP reputation, known bad geolocation, and reputation based filtering using threat intelligence. The type of attacks stopped at this layer will include SYN floods, TCPfloods, ICMP floods, etc. Since your DDoS protection equipment is designed to look at packets at L3 and L4, the detection, throttling, and dropping of connections is done at greater speed with little or no negative impact on the “clean” application traffic.
Tier 2—DDoS Application Defence Layer
The second tier focuses exclusively on DDoS attacks at the upper layers of the OSI including L5, L6, and L7. The goal is to deploy application aware checks with context and application logic intelligence. SSL offload is required to inspect encrypted content and stop L7 DDoS application related attacks. Relying on a deep understanding of the application traffic and business transactions logic is crucial in order to protect your web applications. CPU intensive transactions requiring deep packet inspection will be carried out at these layers to maximum efficiency of your second line of protection.
A resilient and robust DDoS system can be achieved with defence in depth principles. These principles apply not only to DDoS protection alone, but also to other cyber-attacks vectors. Understanding the nature of the DDoS attack is crucial to provide a long-term, effective, and resilient solution. Separating network level and application level transactions is a known, tested, and effective approach to protect against DDoS attacks.
About The Author
Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation. He is the founder and CTO of iCyber-Security Group, a leading edge UK based cyber security firm providing complete and cost effective digital protection solutions to SMEs. iCyber-Security’s Cyber Defence Platform (iCyber-Shield) gives total visibility & control over your entire security infrastructure in order to detect and respond faster to cyber threats. The product is listed on the London Digital Security Centre MarketPlace.
Other Articles By Marco Essomba
- Internet of Things (IoT) — Is Your Business Ready?
- Single Password Authentication should be banned. Here are 5 reasons why.
- Dilemma: Cyber Security vs. Convenience vs. Usability. I Just Can’t Uninstall WhatsApp. Here is Why.
- Banking-As-A-Service (BaaS) Will Disrupt Banking Whether Bankers Like It Or Not.
- Protecting your network infrastructure and apps against DDoS attacks: Here is how.
- Protect E-Commerce Apps Against Cyber Fraud.
- 7 Proven CyberSecurity Tips For Effectively Fighting Sophisticated DDoS Attacks.
- 7 reasons why organisations get hacked.
- What’s the Point of a CISO?
- 7 Lessons I Learned From Investigating A Major Cyber Security Breach.
- The word hacker has been hacked by the media — ‘hackers’ used to be heroes.
- The Rise of SecOpsDevOps.
- Cost to global businesses to cyber crime will reach $2 trillion by 2019! Fight back with best of breed.
- 7 Reasons Why Network Engineers Must Master At Least One Application Delivery Controller (ADC).
- Part 1: General Fights Back Cybercrime in NeverHackLand.
- Part 2: General Fights Back Cybercrime in NeverHackLand.
- 7 Awesome Skills That Will Make You Stand Out As A Network Security Engineer.
- Are you preparing for your Cyber Essentials Certification? Here are 7 tips to help you pass the certification at the first attempt!