When distributed denial-of-service (DDoS) attacks make headlines, it’s usually because of their size. For instance, Arbor Networks reported that the largest DDoS incident it measured in 2016 hit 800 Gbps at its peak — a 60 percent surge from the 2015 record.
In recent years, DDoS perpetrators have exploited attack vectors such as the obscure Network Time Protocol and leveraged massive botnets to push the envelope of DDoS attack size. DDoS victims have included the BBC, online gaming networks and even DNS providers.
DDoS attacks don’t have to be gigantic to be damaging: Most are under 2 Gbps, but still big enough to overwhelm the target’s total network bandwidth. So what’s feasible in terms of risk mitigation? There are a few good options, ranging from dedicated IT security solutions to content delivery networks (CDNs).
Related Post: 3 Common Gaps in Network Security
How should you approach DDoS mitigation?
The stakes for DDoS mitigation are high. The Arbor Networks survey found that for 60 percent of respondents, downtime from DDoS costs at least $500 per minute. A comprehensive mitigation strategy should have three main prongs:
- Preparation for worst-case scenarios.
- Early and accurate detection of threats.
- Transparent, customer-friendly response.
DDoS mitigation requires specific pre-existing IT infrastructure that can be activated during an attack. Many organizations tee up solutions that can divert their traffic to scrubbing centers to screen out the DDoS excess. These scrubbing services may be set up in a company data center, bundled with cloud computing solutions or included as part of a comprehensive service package from an ISP.
Traditional IT security solutions are not always suitable for DDoS detection. Official guidance from Cisco has documented in-depth the shortcomings of firewalls, router-based access control lists and intrusion detection systems in sniffing out DDoS attacks. Cisco services, including the Cisco Traffic Anomaly Detector, provide more sophisticated detection to set up a more effective response.
In addition to financial strain, DDoS can also fuel negative PR. Customers may avoid returning to a website or app if it is constantly slow, with splash screens or messages about current availability. Ideally, a DDoS response would be mostly invisible to end users since it would take place largely behind the scenes (i.e., across cloud infrastructures and on the CDNs that reduce latency). The Cisco services we talked about also help seamlessly separate good and bad traffic to preserve business continuity even under duress.
Turning this DDoS mitigation blueprint into reality
Fending off DDoS troubles is not something that should be done alone. Close collaboration with ISPs, vendors and security consultants is essential.
As an experienced partner and a company that listens and grows alongside its customers, LaSalle Solutions can deliver the guidance you need to map out a networks security strategy. Learn more on our security page today.
Mitigate the Risk of DDoS Attacks!
Visit our Engineering Services page to learn more about our IT Security solutions.