Marco Essomba
May 28, 2016 · 4 min read

According to Symantec, attackers can now rent Distributed Denial-of-Service (DDoS) attack services for as little as $5. The largest DDoS attack can reach 300 Gbps in traffic volume with the rising cost to businesses globally climbing to hundreds of millions every year.

What is a DDoS?

The whole point of a DDoS is to render one or more network services unavailable by bombarding the network infrastructure or applications with a lot of traffic from multiple co-ordinated sources that are usually difficult to track down. DDoS cost to businesses is often spread between the cost of the outage, the cost of stopping the attack, and the extortion fee requested by the attackers.

Here are some effective tips learned from the field in order to protect against sophisticated DDoS attacks.

1. Think defence-in-depth to beat DDoS dead

Defend against DDoS with many security layers. Defending in layers is always a good strategy not only for DDoS protection but also for network security in general. A defence-in-depth using a multi-layer approach provides the strongest protection against DDoS attacks. The idea here is to rely on several layers that are working together to throttle, degrade, and ultimately stop the attack.

2. Use IP intelligence to block known DDoS IP sources

Use an IP intelligence database to block known DDoS offenders. This database is often provided by the vendor as a subscription service and must be updated regularly to be effective. Although it may be not possible to block all devices participating in a DDoS attack, using IP intelligence can dramatically reduce the amplification of an ongoing attack.

3. Let the cloud take the DDoS pain away

Consider a cloud-based DDoS solution at the edge of your external network perimeter as your ultimate outer layer of defence. A cloud-based DDoS service delivered by security specialists that are monitoring attacks 24/7 from a Security Operations Centre (SOC) are very effective against the most sophisticated attacks that can scale to huge traffic volume that your company infrastructure may otherwise not be able to cope with. A cloud-based DDoS can be implemented on demand and pay for the service only when under DDoS attack.

4. Let the Tier 1 DDoS network defence layer throttle attacks

Based on the defence-in-depth principle, the Tier 1 layer is your first internal line of network defence against DDoS. This layer is primarily used to protect at L3 and L4 of the OSI. No need for deep packet inspection, but what is required is the raw hardware speed to detect protocol and traffic anomalies at high speed as well as IP reputation based filtering (known botnets IPs, bad IP sources, bad IP reputation, etc.). The type of attacks stopped at this layer will include SYN floods, TCP floods, and ICMP floods.

5. Leave deep packet inspection to the Tier 2 DDoS application defence layer

The Tier 2 layer focuses exclusively on protecting the application business logic. The goal is to deploy application aware checks that include deep packet inspection with application context and intelligence. SSL offload is required to decrypt and inspect encrypted content and stop application related DDoS attacks. CPU intensive transactions requiring deep packet inspection should be carried out at this layer.

6. Keep reviewing the effectiveness of your DDoS defence

Keep improving and reviewing your exiting DDoS protection mechanism and processes. By continuously reviewing the effectiveness of your DDoS solution at all layers and understanding the nature and reason behind every DDoS attack, the processes can be tuned and the security team trained to improve the effectiveness of the response against future attacks.

7. Conduct a robust DDoS proof of concept

If possible carry out an extensive PoC with the selected DDoS vendors with a clearly defined set of objectives and tests. Several tools are available for DDoS simulation including open source tools such as Kali Linux.

Here is a list of well-known DDoS vendors. A more extensive list with technical reviews on DDoS vendors can be found here.

About The Author: Marco Essomba is a network & security expert, with more than a decade of experience in the field. Marco is CTO & Cofounder at AMPS Intl, a world class consulting firm that provides solutions to enable organisations in banking, healthcare, retail, finance, insurance, and technology sector to design, implement, and support their Application Delivery Infrastructure (ADI) in order to defend Enterprise Apps against sophisticated DDoS attacks.

Contacting Marco:

Twitter: @marcoessomba

LinkedIn: https://uk.linkedin.com/in/marcoessomba

Medium (blog): https://medium.com/@marcoessomba

Company website: http://www.amps-global.com/

Marco Essomba

Written by

Founder @icybersecurity_ (acquired by SOARX) | Helping enterprises make disjoint cybersecurity point tools work better together @marcoessomba

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade