F5 anti-DDoS tips: six best methods to reduce the harm of DDoS attacks

Source: Internet
Author: User

The basis for successfully mitigating DDoS attacks includes: knowing what to monitor, monitoring these signs around the clock, identifying and mitigating DDoS attacks with technology and capabilities, and allowing legal communication to reach the destination, real-time skills and experience in solving problems. The best practices discussed below reflect these principles.



1. Centralized Monitoring


Using the centralized monitoring function, you can monitor the entire network and communication mode in one location. A small team is responsible for the communication supervision restrictions to maintain the continuity of supervision.


2. Understand the communication mode of a normal network


To establish a benchmark for normal communications to the Enterprise, the Enterprise shall regularly collect sample data packets and other relevant information from vswitches, routers and other devices. You need to know the types of communication (for example, SMTP, HTTP, and https), and when to enter (every Wednesday, or the first day of each month), Where to enter, and how much to enter. Create a monitoring map that contains normal communication modes for more than one year, and integrate this information into a related engine for threat detection, warning, and reporting.


3. tracking historical DDoS trends and threat intelligence around the world


Continuously tracks and analyzes global attack modes, quickly verifies potential and new attacks, and incorporates lessons learned into appropriate event responses. Use existing intelligence to find predefined anomalies (that is, analyze signatures ). This allows internal information collection and third-party intelligence suppliers to complement each other and participate in security groups and forums in the industry. Information sharing helps reveal abnormal activities.


4. implement a specialized DDoS warning, log, and report system


Make sure that the issued warning shows signs of DDoS attacks to the security administrator, including attacks that are not necessarily based on the number of attacks. Implements a log and related system to collect detailed attack data that can be used to prevent future attacks. Implements a clear process for collecting and evaluating the overall status of transactions and communications, applications, protocols, and incident reports. Remember, transaction reports are as important as communication reports. For example, if the expected number of transactions decreases sharply, this is more powerful than the increase in traffic to indicate the existence of suspicious activities.


5. Work with experienced security researchers


If enterprises do not know how to process data, even the best monitoring, detection, warning, logging, and reporting devices are useless. Security researchers should be able to distinguish between suspicious communications and legal communications and change response strategies as the situation changes.


Best Practice 2: define a clear and constantly evolving development path


Systematic programs and methods are essential to effectively mitigate DDoS attacks. The following are four steps:


1. define a set of standard Event Response operating procedures


Internal infrastructure, services, applications, and customer and partner resources that may be affected should be taken into account when operating procedures are developed. If necessary, develop individual standardized operating procedures to address specific types of attacks or specific resources under attacks. Regular review of standard operating procedures and regular "drills" to ensure that standard operating procedures are up-to-date and functioning properly.


2. Set up an Incident Response Team


Do not wait until the early morning of an attack event to determine who to contact. A list of contacts for gradual upgrade should be prepared, released, and updated frequently, including for internal teams, related customers, vendors, partners, and upstream suppliers (such as application service providers (ASP )). If you rely on an Internet provider (ISP) to mitigate DDoS attacks, your service requests may be queued up with requests from other companies unless your company is a large company.


3. Solve the Problem of different functional departments


As the protection of DDoS attacks is related to business continuity, it is a global target. Specific areas of overlapping functional departments and responsibilities should be identified. The barriers between different departments (such as network teams and information security teams) must be broken, roles and responsibilities of incident response must be clarified, and responsibilities should be strengthened.


4. Prepare for "downtime (downtime caused by failure )"


It is necessary to understand which systems are vital to the enterprise and develop and test three plans for network or service faults: short-term, medium-term, and long-term continuity plans.


Best Method 3: Use hierarchical Filtering


The purpose of mitigating DDoS attacks is to eliminate malicious illegal communication with minimal latency and only allow valid communication to access the network. The most effective way to achieve this goal is to use a multi-layer Filtering verification process that can take advantage of all the methods described above.


1. Hierarchical filtering Communication


Use signature analysis, dynamic analysis (based on monitoring and analysis of normal behavior), anti-spoofing algorithms, and other technologies to actively filter harmful communication in the upstream network.


2. Apply filters on multiple layers of the OSI Stack


Although some attacks can be reduced by implementing filters at the network layer, the current attacks are more complex and in-depth, and we need to analyze and filter them at multiple layers including the application layer.


3. When necessary, the communication rate can be limited


To prevent "low-tolerance" resources from being paralyzed, you can limit the communication rate when necessary based on the number of concurrent bandwidth connections.


4. Quick Change and customization of filters


When necessary, you can quickly apply and clear the standard filter (signature), or generate a custom filter based on the attack changes on the network.


5. Strengthen the rule set over time


Analyzes various types of intelligence, monitoring, warning, and report logs at home and abroad, and uses this information to continuously update the rule set.


Best Method 4: Build scalability and flexibility


To ensure that the system can function properly under attack conditions, enterprises must have a highly scalable and flexible infrastructure.


1. Ability to customize on demand


This capability includes bandwidth and hardware processing capabilities, as well as the scalability to handle communication loads. Adequate capabilities are crucial, but it is often unrealistic to maintain sufficient capabilities within an enterprise. For example, it takes a lot of money to buy extra bandwidth to absorb massive attacks, or even purchase servers. In addition, in today's environments, excessive bandwidth configuration is often insufficient, because the scale of DDoS attacks is growing at an astonishing speed, however, the speed from an enterprise network to the Internet is generally 1 Gbps or less.


2. Locate the critical point


You need to know how your basic actions are under attack. Determine the communication characteristics and determine which components will first collapse when facing heavy loads. For example, you need to know at which point the firewall or web server will fail and which packets or queries will cause more serious consequences on a system than on other systems. It is necessary to test various situations in the image production environment, not just forecasts, and re-test after changing any part of the infrastructure.


3. Build Load Balancing for the infrastructure


Once the critical point is identified, the next step should be to establish Load Balancing for the infrastructure, with the goal of optimizing communication flows under normal and peak loads.


4. Considering the scalability of monitoring tools


The monitoring tool must continue to work under high loads. In some DDoS attacks that consume bandwidth, monitoring often stores names and even reports error data. For example, some monitoring tools can only report the same value because they cannot report more advanced things.


5. Enhance the diversity of hardware and software


Instead of building a complex IT environment, it is designed to defend against certain DDoS attacks against hardware and software of specific vendors. Therefore, you may wish to purchase hardware and software tools from multiple vendors.


6. Distributed Mode


If possible, a distributed model is used to build and maintain redundancy for high-value applications and services.

F5 anti-DDoS tips: six best methods to reduce the harm of DDoS attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.