There are four letters which will cause dread in practically any network administrator: DDOS, or a Distributed Denial-of-Service attack. It's one of the most common forms of malicious attack against websites and other online entities, and also one of the hardest to defend against.
The basic theory behind a DDOS is quite simple: Get a whole bunch of computers to send a huge number of requests simultaneously to an online server. Since any server is going to have a maximum threshold for the number of connection requests it can serve at once, the DDOS overwhelms it and prevents it from doing its normal job. Or else it simply sucks up all the bandwidth before employees and customers can use it.
Many of the highest-profile operations in technology have been victims of DDOS attacks in recent years, such as the Steam and PlayStation Network games services, Microsoft, Google, the US government, and plenty of others. A single DDOS attack can create millions in damages and lost sales.
The bad news is this: There is no such thing as perfect DDOS protection. A sufficiently large and widespread attack can overcome any defenses. However, it is generally only the largest of companies that have to worry about such large-scale efforts. If a smaller operation is DDOSed, it's often manageable if the company has taken precautions beforehand.
So today, we wanted to highlight some of the most common methods of DDOS prevention and mitigation.
At the bare minimum, you need a modern hardware firewall. Most security appliances from companies such as ADTRAN, Cisco, and Meraki include DDOS-detection services and will attempt to block a flood of requests coming from single sources. They can often also recognize and block spoofed or otherwise broken malicious packets. This is often enough to stop "basement" DDOS attempts, but will not stand up to larger coordinated efforts.
As we discussed previously, the words "too much bandwidth" are nearly oxymoronic. Among the many reasons you want to have significantly more bandwidth available than you normally need is that it can help mitigate DDOS attacks.
If Server A is being hammered, but attackers don't know about backup Server B, you may be able to switch over and thus dodge the attack. Many cloud-based backup systems include this sort of functionality, and it's a good idea to discuss such options with your backup providers.
If you rely on VoIP networks, equipment with eSBC features are nearly essential. The eSBC is on the outer edge of your network, between the incoming phone lines and your own systems, and is there specifically to watch for attacks based in SIP connection requests aimed at VoIP systems.
There is, unsurprisingly, a growing niche in hired computer security that focuses specifically on DDOS attacks and similar efforts. These companies are cloud-based and leverage large amounts of hardware to overcome DDOS attacks. They often use "brute force" methods such as having huge servers whose only purpose is to handle massive attacks by acting as buffers. As insurance against a major attack, it may be worth the money, especially for growing operations who fear they're moving towards "high profile" territory.
There's no perfect defense against DDOSing, but there are still plenty of options for helping improve your defenses. If you're in doubt about your own security, feel free to contact Hummingbird Networks for a free consultation on your security implementation.