Home / Blogs

DDoS Mitigation: A Blend of Art and Science

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Miguel Ramos

As DDoS attacks become larger, more frequent and complex, being able to stop them is a must. While doing this is part science, a matter of deploying technology, there is also an art to repelling sophisticated attacks.

Arbor Networks, Citrix and others make great gear, but there's no magic box that will solve all your problems for you. Human expertise will always be a crucial ingredient.

The Science

Certain attacks can be mitigated purely through automation. For example, you can set up proper access control lists on your routers, which can block connections to ports through which you have no services. (That is, you can define a list of services authorized to receive traffic, while at the same time dropping all other traffic.) Some attackers randomly try certain attack vectors, hoping to get lucky and flood your infrastructure — without investigating which type of attack might actually work best. When properly configured, your routers and firewalls will automatically drop such traffic, without it even reaching your servers. This is can be very effective and should be part of any mitigation strategy.

Equally effective are advanced AI algorithms, which are often built into routers and DDoS mitigation hardware. These algorithms can give you a picture of an attack in progress. You can also tune their settings to drop traffic when certain thresholds are met. AI algorithms do very well at handling simple attacks (SYN floods, UDP floods, etc.). The catch: Without careful tuning, they can automatically drop good traffic, defeating your goal of continuing business as usual. If your business is profiled on CNN, resulting in surging traffic, your gear may very well kick in and legitimate traffic could be blocked.

The Art

To avoid that sort of situation, you need to spend considerable time tuning your mitigation hardware, so it can tell good traffic from bad. Even this will not always be enough. These days, anyone with decent software development skills can craft attacks that zero in on key infrastructure. He or she will make educated guesses about your website: which parts feature dynamic content, possibly back-ended by a database, and even which parts might be making high-CPU/memory database calls. An attack can be easily masked to look like legitimate traffic. In fact, 10 properly designed simultaneous connections might be enough to take down a cluster! Such attacks take time and creativity to block, no matter if you have the latest mitigation hardware.

The same thing is true when a large, distributed botnet generates thousands of legitimate-looking requests. Automation alone will help you only so much. With the right expertise and hands-on experience, you can set up filters to drop bad traffic.

A Balanced Approach to Stopping Attacks

Before you lose millions in downtime, revenue and brand equity, make sure your mitigation includes both art and science. Remember, even the best technology won't excel without the right guidance. When comes to fighting DDoS attacks, you need both man and machine.

If you don't have the expertise in house, consider a third-party solution like Neustar SiteProtect, a cloud-based service which not only fuses technology from leading vendors (Arbor, Citrix and Juniper, along with several others) but backs it with the experts in our Security Operations Center.

By Miguel Ramos, Sr. Product Manager, Neustar Enterprise Services

Related topics: Cyberattack, DDoS, DNS, Security



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year