For DDoS-Hope is NOT a Strategy!

While bad actors conducting DDoS attacks often target sites or services hosted on high-profile web servers such as e-tailers, banks, or credit card payment gateways, any organization can be hit. Motivation runs the gamut from activism, revenge, blackmail/ extortion, or terrorism. Worse still, as technology advances so do the many ways to launch a DDoS attack. Out on the dark web there are freely available network stressors and DDoS tools that can be acquired, configured, and controlled via botnets and other command and control tools. More advanced tools include nation state-backed “Internet Cannons” that weaponize valid Internet user traffic by rewriting HTTP requests to flood targeted websites.

1. Take assessment–objectively and honestly determine your strengths, gaps, vulnerabilities, and threats; hire a qualified 3rd party if necessary

2. Adopt a framework–this is the foundation to your entire enterprise-level security program and DDoS protections within it; NIST, ISO, SANS – pick one

3. Incident response plan–Create and regularly practice an all-hazards plan with a crisis communication plan built-in

4. Solid router and firewall configs– look to expert advice from the OEM and for solid “hardening standards”

5. Traffic threshold monitoring–find out what “normal” amounts of traffic to your sites look like and then create a threshold to alert on

6. Cloud based DDoS defense systems– lots of great vendors; check the think thanks for ratings and ask other colleagues for their experiences

7. Enhanced DNS protection services– same as above; the best spot and stop trouble before it ever gets close to your network

8. IDS/IPS–Use next generation firewalls with built-in intrusion detection and prevention (IDS/IPS) coupled with Border Gateway Protocol (BGP) to stop DDoS attacks.

9. WAF—A web application firewall(WAF) acts like an anti-malware tool that blocks malicious attacks on your website(s). It sits above your application at the network level to provide protection before the attacks reach your server. As a bonus, using a WAF not only protects you against DDoS attacks, but also generally improves application performance and enhances user experience.

10. Upstream filtering–provided by your ISP, includes reputation based blocking - a feature called Unicast Reverse-Path Forwarding to silently drop—or “blackhole”—the bad traffic.

With forethought and planning, you don’t have to rely on hope when it comes to dealing with DDoS.