Home / Blogs

DDoS Mitigation: A Blend of Art and Science

Miguel Ramos

As DDoS attacks become larger, more frequent and complex, being able to stop them is a must. While doing this is part science, a matter of deploying technology, there is also an art to repelling sophisticated attacks.

Arbor Networks, Citrix and others make great gear, but there's no magic box that will solve all your problems for you. Human expertise will always be a crucial ingredient.

The Science

Certain attacks can be mitigated purely through automation. For example, you can set up proper access control lists on your routers, which can block connections to ports through which you have no services. (That is, you can define a list of services authorized to receive traffic, while at the same time dropping all other traffic.) Some attackers randomly try certain attack vectors, hoping to get lucky and flood your infrastructure — without investigating which type of attack might actually work best. When properly configured, your routers and firewalls will automatically drop such traffic, without it even reaching your servers. This is can be very effective and should be part of any mitigation strategy.

Equally effective are advanced AI algorithms, which are often built into routers and DDoS mitigation hardware. These algorithms can give you a picture of an attack in progress. You can also tune their settings to drop traffic when certain thresholds are met. AI algorithms do very well at handling simple attacks (SYN floods, UDP floods, etc.). The catch: Without careful tuning, they can automatically drop good traffic, defeating your goal of continuing business as usual. If your business is profiled on CNN, resulting in surging traffic, your gear may very well kick in and legitimate traffic could be blocked.

The Art

To avoid that sort of situation, you need to spend considerable time tuning your mitigation hardware, so it can tell good traffic from bad. Even this will not always be enough. These days, anyone with decent software development skills can craft attacks that zero in on key infrastructure. He or she will make educated guesses about your website: which parts feature dynamic content, possibly back-ended by a database, and even which parts might be making high-CPU/memory database calls. An attack can be easily masked to look like legitimate traffic. In fact, 10 properly designed simultaneous connections might be enough to take down a cluster! Such attacks take time and creativity to block, no matter if you have the latest mitigation hardware.

The same thing is true when a large, distributed botnet generates thousands of legitimate-looking requests. Automation alone will help you only so much. With the right expertise and hands-on experience, you can set up filters to drop bad traffic.

A Balanced Approach to Stopping Attacks

Before you lose millions in downtime, revenue and brand equity, make sure your mitigation includes both art and science. Remember, even the best technology won't excel without the right guidance. When comes to fighting DDoS attacks, you need both man and machine.

If you don't have the expertise in house, consider a third-party solution like Neustar SiteProtect, a cloud-based service which not only fuses technology from leading vendors (Arbor, Citrix and Juniper, along with several others) but backs it with the experts in our Security Operations Center.

By Miguel Ramos, Sr. Product Manager, Neustar Enterprise Services

Related topics: Cyberattack, Cybersecurity, DDoS, DNS, Net Neutrality


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll