Saturday , 18 August 2018

A Five-Point Checklist For Selecting Effective DDoS Mitigation

It doesn’t take many minutes of listening to the radio to understand that not all singers are equally talented. For every Kelly Clarkson there seems to be five or six singers for whom singing on-key is apparently a suggestion, not a requirement. Which makes perfect sense. A minivan doesn’t drive like a coupe, a bungalow isn’t built like a mansion. Moreover your DIY website isn’t as good as a choosing a professional web developer even if you tell them to use the same platform.

So why is it that so many website owners and businesses seem to think any DDoS protection is good DDoS protection? That’s not how anything in technology works. You have to hire experts who specialize in their field. To have good DDoS mitigation, you need a good DDoS mitigation service. Here are five of the boxes that service should tick before you think about investing in it.

Intelligent Detection

Before there can be protection, there must be detection. Since there’s no way to actually prevent a distributed denial of service (DDoS) attack attempt, the best you can hope for is that the attack is detected far enough upstream that it never affects the target website or online service. This means your DDoS mitigation service needs to have granular traffic inspection that can immediately identify attack traffic (even clever application layer attack traffic designed to mimic legitimate traffic).

Your best bet for the kind of detection that keeps attacks from gaining a foothold is with a cloud-based managed service positioned at the edge of your network. With more traditional, on-premise DDoS security measures, even websites and businesses prepared for these attacks often falter in the face of an assault because attack traffic isn’t recognized until it has already reached and overwhelmed security measures like firewalls and load balancers.

Anti-Bot And Bot-Friendly Policies All In One

This piggybacks on the point above about the importance of intelligent traffic analysis, but it’s important enough to be its own consideration. If your website is going to succeed you need to be able to keep bad bots – like DDoS traffic – off it while rolling out the red carpet for good bots like Googlebots.

This requires an advanced client classification process that includes HTTP header data inspection, IP and ASN verification, firewall management, behavior monitoring, IP reputation and client technology fingerprinting which includes looking at attributes like JavaScript footprint and cookie support. This level of inspection coupled with progressive challenges designed to test bots that can’t immediately be classified as good or bad can root out even the most impressively legitimate-seeming impostor bots.

Total Transparency For Users

It’s no mistake that you keep seeing variations of the idea of legitimate users being unimpeded or unaffected cropping up in this list. The goal of a DDoS attack is to deny users access to the website or service they are trying to reach or use. So even if attack traffic never reaches its target, if users are slowed down, caught in a traffic bottleneck, bounced alongside attack traffic, or redirected to a splash page while things get sorted out, guess what: the attackers win because users are being denied services.

Truly effective DDoS mitigation has to protect sites and services while keeping users from realizing anything is amiss during an attack. The entire process needs to be completely transparent.

Impressive Network Capacity And Forwarding Capabilities

We’ve talked about the brains (traffic inspection and client classification), so now let’s talk about the brawn. To deal with the massive attacks that have become de rigueur thanks to tremendous Internet of Things mega botnets and incredible amplification techniques, distributed denial of service mitigation services need to have multi-Tbps of on-demand scrubbing capacity as well as the ability to process billions of attack packets per second. Anything less and your mitigation service is going to buckle under the next wave of unimaginably huge DDoS attacks, which is undoubtedly on its way.

A Time To Mitigation Measured In Seconds

With pulse wave attacks and other DDoS assaults that immediately smash targets with 10+ Gbps, no botnet warm-up period needed, a DDoS attack can succeed in less than a minute, which means your service needs to be up and running in, well, less than that.

Always-on deployment coupled with an SLA time to mitigation that clocks in at under 30 seconds and preferably under 15 is what you need to protect against the attacks coming from professional attackers who, unfortunately, are quite smart and know that many DDoS mitigation services and on-premise solutions have no chance of keeping up.

Choosing Wisely

This particular category of cyberattacks can be a difficult one to wade into since the world of DDoS attacks and the world of DDoS protection can seem equally wild at times. However, by keeping a few key points in mind before you make your mitigation service selection you can be sure you’re getting the kind of protection this assault-laden landscape requires.

Image from http://cybersecgroup.info/incident-response/cyber-crime-investigation/ddos-attack-investigation

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Scroll To Top