Methods to Combat Distributed Denial of Service (DDoS) Attacks
DDOS attacks create a huge burden for businesses. They are costly for businesses,
both in terms of lost revenue and added costs. DDoS attack protection plays a
fundamental role in keeping businesses online. Here are some of the strategies that
are being used to ensure provision of services to the consumer is uninterrupted.
1. At the Firewall level
Network administrators can use simple rules to prevent or let in IPs, protocols or ports.
Depending on where the firewall is located in the networks hierarchy, firewalls are well suited
to stopping internal flooding attacks even though they may not have the intelligence to determine
More complex attacks however are usually hard to sort out because it is not possible
to drop all traffic to a port as this may prevent legitimate traffic from getting to the server.
Firewalls that are too deep within the network may not help much because routers may
get clogged before the traffic gets to the firewall. However, they form a great defense against
simple DDoS attacks.
2. The Switch as a DDOS Mitigation Tool
Switches are usually built with an automatic control list capacity. As a result, they
can limit data floods at a system wide level or by traffic shaping, delayed binding or TCP
splicing, deep packet inspection and bogon filtering. Traffic or packet shaping delays some
or all data bringing them into a desired traffic profile. This is a form of traffic rate limiting.
It can be used to increase the usable bandwidth of specific traffic by sacrificing bandwidth
access for others. Delayed binding allows a router to receive more routing information for
specific traffic by postponing connection between a client and a server.
WM Message: A "bogon" is a packet with an IP address from a reserved address space
or from an address space that has not yet been allocated by an Internet authority.
Network administrators can set these parameters manually or use manufacturer default settings.
3. At the Router Level
Network engineers can manually set the rate limiting ability of their router and configure
a control list. As a result of these changes, routers can prevent flooding of requests from
a DDOS attack, keeping a network accessible to its core users.
4. Intrusion Prevention Systems or IPS based systems
Intrusive prevention systems can be statistical anomaly-based, stateful protocol analysis
or signature based. For signature based detection, attack patterns that are known are used
to identify similar incoming patterns. Statistical anomaly-based IPS create a baseline and
respond when the characteristic baseline is flaunted while stateful protocol analysis detection
uses deviations from predefined protocol states to detect activity.
For attacks that have a signature, it is easy to use IPS systems to prevent DDoS Attacks.
For such attacks, the malicious content received quickly triggers the system to prevent the
passage of suspect data. Some attacks that are hidden under legitimate content can be hard
to detect until the attack has proceeded to cripple the network. DDoS attacks can be content
or behavior based. Content based intrusion prevention systems cannot block behavior based
DDoS attack, and vice versa.
Application specific Integrated Circuit or ASIC Intrusion Prevention Systems can block
and detect DDoS attacks based on the fact that they have the processing power and the ability
to break down the traffic into its simplest level.
On the other hand, a rate-based IPS or RBIPS system usually analyses the traffic coming
into a network to pick out any anomalies but let the legitimate traffic through.