Mitigation of DDoS Attacks
Distributed denial of service attacks are becoming more common and more sophisticated. Some high-profile attacks against businesses throughout the world have firms that specialize in DNS security investing great resources into creating a reliable and consistent defense. As an industry, we’re not where we want to be yet, but there are steps that all companies can take to mitigate the damage from DDoS attacks. It comes down to three core facets: preparation, identification and response.
Organizations must prepare for DDoS attacks and other DNS security issues in advance of them occurring. In fact, the attacks that have historically resulted in the most financial damages have been directed at businesses that had never been targeted and had not planned for the eventuality.
Preparation begins with ensuring that all system security is current and that there are multiple layers of access. A key technique to mitigating DDoS attacks is detecting them as far away from the targeted system as possible. Adequate preparation requires regular security assessments along with working with your IP provider as well as equipment and software vendors to create tiered defenses.
How well you mitigate a DNS security breach comes down to how fast and accurately you detect it. There are four primary detection methods: whitelists, blacklists, rolling blacklists and pattern detection.
Whitelists and blacklists are a manual process. Any IP on a whitelist is giving the go-ahead at the earliest access point and can even be given priority and other privileges. If an IP is on a blacklist, then those communication requests can simply be ignored at the earliest point of access. Rolling blacklists is a means through which you can block IPs that may be communicating maliciously temporarily.
Pattern detection is among the most effective ways to detect a DDoS attack. This means that organizations should track and analyze traffic on an hourly, daily, weekly and seasonal basis. A regular pattern will form, and current traffic can be compared against that pattern to detect irregularities.
Early and accurate detection mean little if you can’t or don’t respond in an appropriate manner. Specific protocols are required to respond to a DDoS attack or any DNS security breach. There must be a protocol in place to:
• Update static and rolling black lists and white lists
• Alert all relevant in-house and third-party individuals and organizations
• Back up data, put redundancies in place and swap in non-infected equipment
It’s also imperative to maintain comprehensive logs of the event in real-time. This information will be needed if legal or civil action against the attacker or attackers is possible. More importantly, your in-house and third-party security teams will need that information to assess vulnerabilities and put better defensive measures in place.