The Three Do’s of DDoS protection
During the growing years of building a connected world in the early 2000s, Internet security and Denial of Service (DoS) or Distributed Denial of Service (DDoS) did not feature high on IT or Network Managers priority list. DoS was still Disk Operating System and DDoS would confuse some IT managers as to what the extra D stands for in the disk operating system.
Looking back at those days, I ponder how unaware people were to the threat posed by Distributed Denial of Service (DDoS) attacks.
One thing attackers in 2016 did is put DDoS firmly in the IT and Network consciousness – and they did it by substantially raising the bar for just how big and disruptive a DDoS attack can now be.
In September, cyber security journalist Brian Krebs experienced a record 665 Gbps DDoS attack on his website. A month later, the mark was smashed by an attack on domain name system (DNS) infrastructure operator Dyn, where 1.2Tbps of malicious traffic disrupted many of the world’s major websites.
My key take-outs from 2016 are that DDoS attacks are not just growing in strength and frequency, but also diversifying in whom they target and the diversity of DDOS attacks, application layer as well as volumetric.
You no longer need to be a big organisation to be impacted by DDoS – everyone is now a target. And as more of us conduct our business on internet-based systems, the risk of costly disruption grows.
Attacks are backed by significant malicious resources, and are most effectively countered by the service provider that connects you to the Internet.
DDoS attacks can strike at any time; potentially crippling network infrastructure and severely degrading network performance and reachability. Depending upon the type and severity of an attack on a website or other IP-accessible system, the impact can result in thousands or even millions of dollars of lost revenue.
Recognising the continuously increasing size and complexity of threats posed by DDoS attacks, you need to ensure that your service provider has the capability to counter and mitigate those threats utilising the most relevant protection mechanism for the particular attack vector.
With that in mind, here are three things to ask your IP transit provider in order to effectively gauge their ability and security credentials to defend against a DDoS attack.
1. Does your transit provider own the network end-to-end?
Tier 1 transit providers own and control their entire network. They have end-to-end visibility, which enables them to pinpoint where an attack originates and mitigate it at the source. Transit providers that do not own everything inevitably have to rely on their upstream provider’s capability to mitigate an attack. This induces complexity and takes time, which you don’t have in an attack scenario.
2. Do they offer a range of mitigation techniques?
DDoS attacks can come from anywhere in the world and can be complex with varying attack vectors. Some transit providers are able to offer blackhole routing to shut down traffic that is being maliciously directed at a particular IP address. But this essentially means that the entire traffic to that particular IP address is blocked. This may be sufficient enough to protect other parts of the network until the attack subsides. However, what happens if there is a mix of legitimate traffic amongst the bad and the attack is from a specific geographic region? Selective Blackholing or geographical origin-based blackholing offered by only a select set of Tier 1 transit provider is another method that enables you to block only certain parts of traffic from certain region(s), rather than the entire traffic, this allows business to carry on without disruption.
However, there are some attack types where the above methods won’t work.
In these cases transit providers can use systems that actively ‘scrub’ anomalous traffic as it traverses links to and from the public Internet. For example, if the bad traffic is coming from Asia, your service provider can set their Asian scrubbers to work so only clean traffic gets passed on to you, which allows for uninterrupted business continuity.
3. Do you get to speak to a network security team that can help when you’re under attack?
Some providers will put you through to a call centre when you need support for your network. When you’re under attack, you really want to be able to speak directly to the network security team at a global network operations centre (NOC) that has visibility across their entire network and can start mitigating the attack immediately.
If your IP transit provider can’t provide these services, talk to us about getting the protection that you need.