The basis for successfully mitigating DDoS attacks includes: knowing what to monitor, monitoring these signs around the clock, identifying and mitigating DDoS attacks with technology and capabilities, and allowing legal communication to reach the destination, real-time skills and experience in solving problems. The best practices discussed below reflect these principles.
1. Centralized Monitoring
Using the centralized monitoring function, you can monitor the entire network and communication mode in one location. A small team is responsible for the communication supervision restrictions to maintain the continuity of supervision.
2. Understand the communication mode of a normal network
To establish a benchmark for normal communications to the Enterprise, the Enterprise shall regularly collect sample data packets and other relevant information from vswitches, routers and other devices. You need to know the types of communication (for example, SMTP, HTTP, and https), and when to enter (every Wednesday, or the first day of each month), Where to enter, and how much to enter. Create a monitoring map that contains normal communication modes for more than one year, and integrate this information into a related engine for threat detection, warning, and reporting.
3. tracking historical DDoS trends and threat intelligence around the world
Continuously tracks and analyzes global attack modes, quickly verifies potential and new attacks, and incorporates lessons learned into appropriate event responses. Use existing intelligence to find predefined anomalies (that is, analyze signatures ). This allows internal information collection and third-party intelligence suppliers to complement each other and participate in security groups and forums in the industry. Information sharing helps reveal abnormal activities.
4. implement a specialized DDoS warning, log, and report system
Make sure that the issued warning shows signs of DDoS attacks to the security administrator, including attacks that are not necessarily based on the number of attacks. Implements a log and related system to collect detailed attack data that can be used to prevent future attacks. Implements a clear process for collecting and evaluating the overall status of transactions and communications, applications, protocols, and incident reports. Remember, transaction reports are as important as communication reports. For example, if the expected number of transactions decreases sharply, this is more powerful than the increase in traffic to indicate the existence of suspicious activities.
5. Work with experienced security researchers
If enterprises do not know how to process data, even the best monitoring, detection, warning, logging, and reporting devices are useless. Security researchers should be able to distinguish between suspicious communications and legal communications and change response strategies as the situation changes.
Best Practice 2: define a clear and constantly evolving development path
Systematic programs and methods are essential to effectively mitigate DDoS attacks. The following are four steps:
1. define a set of standard Event Response operating procedures
Internal infrastructure, services, applications, and customer and partner resources that may be affected should be taken into account when operating procedures are developed. If necessary, develop individual standardized operating procedures to address specific types of attacks or specific resources under attacks. Regular review of standard operating procedures and regular "drills" to ensure that standard operating procedures are up-to-date and functioning properly.
2. Set up an Incident Response Team
Do not wait until the early morning of an attack event to determine who to contact. A list of contacts for gradual upgrade should be prepared, released, and updated frequently, including for internal teams, related customers, vendors, partners, and upstream suppliers (such as application service providers (ASP )). If you rely on an Internet provider (ISP) to mitigate DDoS attacks, your service requests may be queued up with requests from other companies unless your company is a large company.
3. Solve the Problem of different functional departments
As the protection of DDoS attacks is related to business continuity, it is a global target. Specific areas of overlapping functional departments and responsibilities should be identified. The barriers between different departments (such as network teams and information security teams) must be broken, roles and responsibilities of incident response must be clarified, and responsibilities should be strengthened.
4. Prepare for "downtime (downtime caused by failure )"
It is necessary to understand which systems are vital to the enterprise and develop and test three plans for network or service faults: short-term, medium-term, and long-term continuity plans.
Best Method 3: Use hierarchical Filtering
The purpose of mitigating DDoS attacks is to eliminate malicious illegal communication with minimal latency and only allow valid communication to access the network. The most effective way to achieve this goal is to use a multi-layer Filtering verification process that can take advantage of all the methods described above.
1. Hierarchical filtering Communication
Use signature analysis, dynamic analysis (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technologies to actively filter harmful communication in the upstream network.
2. Apply filters on multiple layers of the OSI Stack
Although some attacks can be reduced by implementing filters at the network layer, the current attacks are more complex and in-depth, and we need to analyze and filter them at multiple layers including the application layer.
3. When necessary, the communication rate can be limited
To prevent "low-tolerance" resources from being paralyzed, you can limit the communication rate when necessary based on the number of concurrent bandwidth connections.
4. Quick Change and customization of filters
When necessary, you can quickly apply and clear the standard filter (signature), or generate a custom filter based on the attack changes on the network.
5. Strengthen the rule set over time
Analyzes various types of intelligence, monitoring, warning, and report logs at home and abroad, and uses this information to continuously update the rule set.
Best Method 4: Build scalability and flexibility
To ensure that the system can function properly under attack conditions, enterprises must have a highly scalable and flexible infrastructure.
1. Ability to customize on demand
This capability includes bandwidth and hardware processing capabilities, as well as the scalability to handle communication loads. Adequate capabilities are crucial, but it is often unrealistic to maintain sufficient capabilities within an enterprise. For example, it takes a lot of money to buy extra bandwidth to absorb massive attacks, or even purchase servers. In addition, in today's environments, excessive bandwidth configuration is often insufficient, because the scale of DDoS attacks is growing at an astonishing speed, however, the speed from an enterprise network to the Internet is generally 1 Gbps or less.
2. Locate the critical point
You need to know how your basic actions are under attack. Determine the communication characteristics and determine which components will first collapse when facing heavy loads. For example, you need to know at which point the firewall or web server will fail and which packets or queries will cause more serious consequences on a system than on other systems. It is necessary to test various situations in the image production environment, not just forecasts, and re-test after changing any part of the infrastructure.
3. Build Load Balancing for the infrastructure
Once the critical point is identified, the next step should be to establish Load Balancing for the infrastructure, with the goal of optimizing communication flows under normal and peak loads.
4. Considering the scalability of monitoring tools
The monitoring tool must continue to work under high loads. In some DDoS attacks that consume bandwidth, monitoring often stores names and even reports error data. For example, some monitoring tools can only report the same value because they cannot report more advanced things.
5. Enhance the diversity of hardware and software
Instead of building a complex IT environment, it is designed to defend against certain DDoS attacks against hardware and software of specific vendors. Therefore, you may wish to purchase hardware and software tools from multiple vendors.
6. Distributed Mode
If possible, a distributed model is used to build and maintain redundancy for high-value applications and services.
F5 anti-DDoS tips: six best methods to reduce the harm of DDoS attacks