• 8 Methods To Combat DDOS Attacks

    Distributed denial of service (DDOS) attacks create a huge burden for businesses. They are costly for businesses, both in terms of lost revenue and added costs. DDoS attack protection plays a fundamental role in keeping businesses online. Here are some of the strategies that are being used to ensure provision of services to the consumer is uninterrupted.

    1. At the Firewall level

    Network administrators can use simple rules to prevent or let in IPs, protocols or ports. Depending on where the firewall is located in the networks hierarchy, firewalls are well suited to stopping internal flooding attacks even though they may not have the intelligence to determine good traffic.

    More complex attacks however are usually hard to sort out because it is not possible to drop all traffic to a port as this may prevent legitimate traffic from getting to the server.

    Firewalls that are too deep within the network may not help much because routers may get clogged before the traffic gets to the firewall. However, they form a great defense against simple DDOS attacks.

    2. The Switch as a DDOS Mitigation Tool

    Switches are usually built with an automatic control list capacity. As a result, they can limit data floods at a system wide level or by traffic shaping, delayed binding or TCP splicing, deep packet inspection and bogon filtering. Traffic or packet shaping delays some or all data bringing them into a desired traffic profile. This is a form of traffic rate limiting. It can be used to increase the usable bandwidth of specific traffic by sacrificing bandwidth access for others. Delayed binding allows a router to receive more routing information for specific traffic by postponing connection between a client and a server.

    Network administrators can set these parameters manually or use manufacturer default settings.

    3. At the Router Level

    Network engineers can manually set the rate limiting ability of their router and configure a control list. As a result of these changes, routers can prevent flooding of requests from a DDOS attack, keeping a network accessible to its core users.

    4. Intrusion Prevention Systems or IPS based systems

    Intrusive prevention systems can be statistical anomaly-based, stateful protocol analysis or signature based. For signature based detection, attack patterns that are known are used to identify similar incoming patterns. Statistical anomaly-based IPS create a baseline and respond when the characteristic baseline is flaunted while stateful protocol analysis detection uses deviations from predefined protocol states to detect activity.

    For attacks that have a signature, it is easy to use IPS systems to prevent DDOS Attacks. For such attacks, the malicious content received quickly triggers the system to prevent the passage of suspect data. Some attacks that are hidden under legitimate content can be hard to detect until the attack has proceeded to cripple the network. DDOs attacks can be content or behavior based. Content based intrusion prevention systems cannot block behavior based DDOS attack, and vice versa.

    Application specific Integrated Circuit or ASIC Intrusion Prevention Systems can block and detect DDOS attacks based on the fact that they have the processing power and the ability to break down the traffic into its simplest level.

    On the other hand, a rate-based IPS or RBIPS system usually analyses the traffic coming into a network to pick out any anomalies but let the legitimate traffic through.

    5. Black Holing and Sink Holing

    Sink holing refers to sending traffic to an IP that works so that it receives incoming traffic and filters it to remove the bad traffic. Black holing on the other hand refers to sending incoming traffic that is affecting a server to a nonexistent IP address. To make black holing more efficient, an ISP is used.

    6. Prevention Using proactive testing

    A testing platform can be used to identify areas of weakness in a network. The information received from this systems can be used to direct the setting up of manual and automated systems which can be used for line back up in case the network comes under a DDOS attack.

    7. Using Clean Pipes

    This type of DDOS protection technique routes all incoming traffic through a cleaning or scrubbing center that separates DDOS traffic or any other suspect traffic while allowing ordinary traffic through. To manage this facility, the network must be connected to the internet. To clean the incoming traffic, various methods are used. These include direct circuits, tunnels and proxies.

    8. Application front end hardware

    Hardware can be used as part of a staggered defense against attacks, and stands as the first line of defense against DDOS attacks. Application front end software is placed in front of the server to block traffic flooding attacks into a network. Using algorithms that scan and categorize incoming packets, application front end hardware labels the incoming traffic based on different criteria including high priority, regular or dangerous.

    Author: Savannah R Bentley
    Author Notes: Savannah Bentley is an avid blogger and web hosting technology expert. She also contributes to RivalHost, a leading web hosting company specializing in DDOS protection and DDOS mitigation. Get more information at http://www.rivalhost.com.
    Comments Leave Comment

    Click here to log in

    Please enter the six letters or digits that appear in the image opposite.

  • Advertisement

  • Advertisements