How to Protect Your Business Against DDoS Attacks
Now that you know what distributed denial of service (DDoS) attacks are and the impact they can have on your business, one big question remains: what can you do to protect your digital assets and infrastructure? At the highest level, you need a solution that can tell the difference between normal and malicious traffic – and then mitigate attacks quickly and with precision. But just as DDoS attacks vary in type and execution, not all protection measures are created equal.
Protect more than just your network
DDoS attacks are about more than just clogging your Internet pipe. According to Radware’s Global Application and Network Security Report, only half of all attacks are volumetric – drawing on the brute force of thousands of bots to tie up network bandwidth. The other half target applications, exploiting weaknesses in protocols like HTTPS, DNS, SMTP and FTP to exhaust application resources and make the apps themselves unresponsive.
Attackers are increasingly using blended attacks to hit the network, server and application layers simultaneously. This means you need to be able to protect against all types of attacks – whether they’re targeting each layer individually or in a more coordinated assault.
On-premises equipment alone won’t cut it
Many businesses don’t always invest in comprehensive security services because they believe their firewall or intrusion prevention system (IPS) is enough to protect against DDoS attacks. Having a firewall or IPS is essential – but it should not be your only line of defence simply because these devices are stateful. This means they track the state of all connections and transactions in order to filter them properly, and so they can also become overwhelmed by DDoS attacks. Even the strongest firewall will crash when dealing with too many open requests – literally opening the floodgates to malicious traffic.
Take a hybrid approach to DDoS protection
The ideal approach to DDoS protection includes both on-premises equipment (which offers greater control over when and how to mitigate an attack) and either cloud-based scrubbing or upstream detection and mitigation in the network.
With cloud-based scrubbing, when an attack is detected, all traffic is routed through a third-party cloud provider for filtering. Only legitimate traffic gets sent on to your site. Because your on-premises equipment no longer has to deal with a flood of traffic, it can focus on keeping your servers and applications up and running.
Yet cloud-based services come with a window of vulnerability: it can take up to an hour from the time an attack is detected to when the route announcement begins to propagate. In the meantime, malicious traffic is landing at your doorstep — and if we’re being realistic, it can take far less than an hour for an attacker to bring down your site. In addition, most scrubbers are located outside of Canada, which might violate your corporate or regulatory data-management requirements.
With upstream network detection, both volumetric and application-layer detection and mitigation takes place in the network itself – before the traffic even has a chance to reach your business. It’s offered by network service providers with advanced security capabilities, as they are in the unique position of implementing the required detection and mitigation mechanisms from within their own network. Compared to cloud-based scrubbing, latency is minimized: an attack can be mitigated within 30 seconds of detection. Plus, by addressing packet anomalies and other bandwidth-intensive ‘noise’ upstream, you can benefit from more efficient Internet consumption as there is less chance of it being consumed by unnecessary traffic.
Key questions to ask when evaluating DDoS protection services
When evaluating potential security providers for DDoS protection services, consider the following:
- Does the service protect across the application, server and network layers?
- Is the service provider located in Canada – and is that important for your business?
- Can your network tolerate latency from traffic redirection and scrubbing?
- Do you rely on encrypted traffic to engage with clients, process transactions or transfer sensitive data?
A provider like Bell is in a strong position to offer network-based DDoS protection because Bell owns and operates Canada’s largest IP network – and that enables Bell to see the big-picture view of possible threats to businesses on the network. If you’re interested in learning more, read about the Bell Network DDoS Security service here.
Corey Still is a Network and Cyber Security Professional at Bell.