Welcome back! In the first half of this blog, we discussed why DDOS attacks are such a big concern, where they come from, and why traditional security measures like router-and-firewall combinations really are not sufficient to stop a major attack.
The tactics being used by attack groups are becoming more advanced, and the only real solution is to step up your own security as well. Backup network systems at a separate location are a good idea, but they're expensive to maintain, and largely a stopgap solution.
The good news is that new defenses are being developed for DDOS protection. Let's take a look at what the latest-generation anti-DDOS systems look like.
1 - Active Intrusion Prevention Systems
IPSes are different from Intrusion Detection Systems (IDS) because the software systems are much more empowered. At the risk of being anthropomorphic, an IPS is something like an automated security officer, patrolling your network with the ability to shut down connections or re-configure routers on its own initiative.
They all work on similar systems of statistical anomalies. They run for a while and compile a database of "normal" network usage, then watch for anything outside that norm. Minor events are merely reported to the admin, while major ones get immediate action.
Modern IPS systems are highly robust, although configuring them can be a challenge. The more empowered a "smart" software system is, the more chance it can mess things up if it's poorly-directed. They have a tendency towards false alarms (a "better safe than sorry" attitude) and need ongoing oversight.
2 - Upstream Mitigation Gear
The other main focus in anti-DDOS systems is putting more hardware at the very edge of the network boundary, preferably as the first connection at the handoff point between you and your ISP. This effectively establishes a new firewall, but at the border rather than near the user-access level.
These buffed-out firewalls can handle a gigabyte of data flow per second or more, with the explicit function of filtering out all improper requests before they get anywhere near your mission-critical hardware.
At present, the combination of upstream mitigation gear, such as newer Cisco Firewalls and active IPS systems is considered the "state of the art" in most enterprise-level networking.
3 - Enterprise Border Session Control
eSBC virtually always includes elements of both hardware and software, and as the name suggests, it's aimed towards protecting the outer edge of a network's boundary. It's generally focused on VoIP applications and hardware, which are now becoming popular targets of attack.
eSBC can greatly reduce the chances of spoofed Session Initiation Protocol requests (which are plaintext) by insisting on end-to-end encryption. It can also oversee VoIP traffic or limit connection streams if high demand (or malicious activity) threaten to overwhelm the network.
There's Always A Bigger Storm
In the years to come, eSBC will almost certainly become a bigger area of investment as more companies come to embrace VoIP and need to mitigate the security concerns it creates.
Finally, a small dose of realism: Right now, the theoretical ability of botnets to overwhelm servers greatly exceeds any current defense mechanisms if someone is REALLY serious about attacking you. The good news is that such attacks are almost solely reserved for high-level multinational targets like Sony and Microsoft.
These measures will provide reasonably reliable security for most everyday businesses against everyday attacks.
Do you need more advice in protecting yourself against attack? Please don't hesitate to ask your questions below, or contact Hummingbird for a free security consultation!