In my previous post, we discussed the fundamental types of DDoS attacks — from volumetric attacks, to low and slow application attacks. What makes a DDoS attack different from most any other is that it is targeted, deliberate, and intentional. Conversely, much of the malware in the wild is opportunistic – counting on enough random people to take the bait.
But a DDoS attack is coming at you directly and on purpose. So, what do you do?
Start with a cohesive strategy — from application or service design, to the deployment model, to proactive and reactive controls, to the Internet provider you choose. The bottom line is to either have a scale larger than the largest attack or have a mitigation technique larger than the largest attack. Pick one.
Looking for a security solution that’s tailored to your enterprise’s unique needs? Check out our Security Quick Guide to find a solution that’s right for you.
From an application or service design perspective, this is obviously a complex topic. There is no one-size-fits-all solution. Generally speaking, the more distributed your application or service, the harder it is to take down. Take for instance a simple website with one or two locations and not much in the way of load balancing at any point. In this scenario, no matter how large your incoming pipe is, no matter how agile your operations or engineering teams are, you are a sitting duck.
Contrast this to a content delivery network (CDN) deployment model, one that distributes your site or content around the globe, at a scale out of reach for most. In order to impact your presence, an entire CDN or geographic section would have to be taken down along with your presence. While not unheard of, the largest CDNs are well-equipped to handle this sort of attack. And when compared to the cost of building it yourself, it is always going to be more cost effective to leverage someone else’s investment.
But let’s assume that a CDN just isn’t a match for you. In this scenario, we consider network design at the geographic level — again focusing on a scaled and scalable distributed footprint — and on-premises and off-premises mitigation techniques.
A successful approach will consist of a plethora of connections to multiple providers or one that can provide sufficient route diversity. This will help spread the incoming load across multiple points of entry, and make a successful mitigation more likely. Additionally, multiple points of physical presence are most likely going to be necessary. This approach implies significant cost. But if time is literally money, the numbers are much easier to justify. As it happens, this is very similar to a Tier 1 CDN architecture, just at a much smaller scale.
As you weigh your options, your choice of ISP is also critically important, as they will provide a key role in helping upstream mitigation. Ensure that the ISP has the scale and expertise to be an effective partner — because when you call for help, you are going to REALLY need the help. The larger the presence of the ISP, the more likely you are to have a capable partner who can stand behind you when the (almost) inevitable happens.