Seven ways to protect your business against DDoS attacks

This is a contributed piece from Darren Anstee, Chief Technology Officer from Arbor Networks


Over the last year the world has seen a number of high-profile DDoS attacks causing problems for both businesses and consumers around the world. In October 2016, a number of DDoS attacks were made using IoT devices against the authoritative DNS provider Dyn, resulting in outages to the internet services provided by a number of household names. In June this year, a  DDoS attack against Square Enix’s Final Fantasy game caused disruption for a number of days. With all of this activity one thing is now for certain, DDoS is top-of-mind for ISPs, enterprises and consumers alike – it has become a mainstream topic of discussion.

Unfortunately, DDoS attacks continue to grow in size, frequency and complexity with the weaponisation of DDoS for hire services being partially to blame. There is a whole service sub-economy offering DDoS ‘services’ to anyone at minimal cost. And, these services are competing with one another, driving capability upwards and cost to users down. The operators of these services are looking for ways to maximise their capabilities – and IoT devices have proved ideal.

The sheer number of compromisable IoT devices out there on the internet represents a huge opportunity for those looking to build out botnets for use within weaponised DDoS services. These devices are ideal for DDoS botnets: they are generally always turned on, making capacity predictable (from a service perspective); they often reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and, they often have high-speed connections.

Unfortunately, many businesses are under-protected and ill-prepared for a DDoS attack. However, DDoS is a well understood threat, and organisations can defend against DDoS attacks by implementing best current practices for DDoS defence:

  • Ensure best-practice layered DDoS defences are in place. Layered DDoS defences comprise of a cloud or ISP based DDoS protection service, that can deal effectively with high magnitude DDoS attacks. This should be paired with an enterprise or data-centre edge DDoS mitigation system that can deal proactively with all forms of attack, before there is any service impact. Ideally these two layers should be able to communicate to maximise their effectiveness.
  • Harden network and application infrastructure. Utilise the stateless capabilities of existing routers and switches to limit Internet access to only needed ports and protocols.
  • Ensure any network-based DDoS mitigation capabilities are pre-configured and tested, for example Border Gateway Protocol (BGP) black-hole or Flowspec. Attempting to configure these capabilities whilst under attack is a recipe for disaster.
  • Don’t rely on stateful devices such as load-balancers and firewalls to provide a complete DDoS defence. These devices can deal effectively with some kinds of attack, but reliance on connection state can be targeted by DDoS attacks causing these devices to become a part of the problem in some circumstances.
  • Ensure complete visibility of traffic moving through networks. If a good picture of network activity is available then a baseline of normal operation can be established, allowing potentially problematic anomalies to be readily identified and dealt with.
  • Maintain up to date contact details for the operational security teams in all connected networks. Should an attack take place upstream networks are often well placed to assist with mitigation.
  • Ensure a documented and rehearsed process exists for dealing with a DDoS attack. Attempting to deal with an attack without a process can lead to mistakes and prolonged outages that could otherwise have been avoided.

The amount of DDoS activity taking place every day across the internet shows no sign of reducing. Every organisation should ensure they are well prepared, and put the best available defensive services and solutions in place to deal with this growing threat.


« Blockchain for insurance: A realistic picture


Chief architect perspective: What leaders need to know about the rise of bots »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?