Practical DDoS mitigation techniques (and an interesting paper)

if you are the expert on distributed denial of service attacks, please skip the text and go directly to the link at the footer.

the advice below is only about bulk ddos attacks where a mass of traffic is bombarded your way. it is not aimed at isp’s, but rather at smaller operations.

important note:
first do what you don’t have to pay for. once you exhausted what you can do by yourself, check if further protection is necessary, a call to your isp might suffice.

should ddos concern you?
i may write about this at a later date, but have you ever been under such an attack? if you don’t know, that is your first problem. are you big enough to worry about such attacks? if you are a moms&pops business, probably not. if most of your networking concerns are operated by your isp – most likely not. if you have a large network, you most likely should consider creating a plan on how to handle a possible future attack.

i personally believe in:
[in no special order]

1. ddos mitigation mechanisms:

you get what you pay for. get a decent ddos protection mechanism and it will help you survive.
what’s cheap might end up costly.
i personally prefer cisco guard (ex riverhead guard).

please check suggestion #4 below.

2. bandwidth. bandwidth. bandwidth.

the more bandwidth you have the more secure you will be. this is no solution, but it works.
some buy so much bandwidth that if they go down, it is likely the network is down as well.

you don’t have to buy the world, but it is good practice to keep ahead of your regular day-to-day bandwidth needs.

3. better routers.

still own an ancient router that would die if it even faces a port scanner? maybe it is time to get a new one. adding extra ram may be a good alternative.
note: don’t buy what you don’t need. how would you know what you need? well, your should know your own network or hire someone to help you with that.

4. better relations with your isp.

maybe you can’t afford ddos mitigation mechanisms.. maybe you can. whichever the case having a good relation with your isp so that they can help you mitigate an attack is a great idea. knowing who to call at the isp ahead of time is also a good idea.

your isp won’t help? change isp’s.

4. configure your applications (and routers) securely.

as an example, make sure your web application doesn’t hammer the database. also try to test your web servers for load handling. if your server can’t take it, check why. is it the hardware? the network? is the application crappy or mis-configured? basically what is the bottle-neck and is there a specific failure point?

check out team cymru’s router configuration examples: http://www.cymru.com.

that’s just the tip of the ice berg, good security starts with good planning and continues with testing.

there’s more, but first make sure you cover your bases and talked to your own isp (anyone see a trend here?).

if ddos is your thing, check out this new interesting paper.

also, if you fear online extortion please consider my take on the issue:
http://blogs.securiteam.com/index.php/archives/94.

gadi evron,
ge@beyondsecurity.com.

Share
  • yusra

    hey i can’t access the paper that you have linked…i need it…how do i get it????

  • John Mendes

    Another great idea is an IPS, but a good IPS .