Falling victim to a distributed denial of service (DDoS) attack can be disastrous. The average cost to a business of a successful DDoS attack is about $100,000 for every hour the attack lasts. There are long term costs too: loss of reputation, brand degradation, and lost customers, all leading to lost business. That's why it is worth spending significant resources to prevent a DDoS attack or at least minimize the risk of becoming a victim to one, rather than focusing on how to stop a DDoS attack once one has been started.
Understanding DDoS attacks
Most of the denial of service (DoS) attack often involves attacking an IP address with large volumes of traffic. If the IP address points to a Web server, certain traffic will be unable to reach it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers is flooded with requests that need processing by the victim machines.
DDoS attacks by generating traffic from multiple sources, although orchestrated from one central point. The fact that the traffic sources are scattered, often throughout the world, makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.
Let's learn how to prevent DDoS attacks.
1. Buy more bandwidth
The most essential step you can take to make your infrastructure "DDoS resistant" is to guarantee that you have enough bandwidth to manage spikes in traffic that may be caused by malicious activity.
2. Build redundancy into your infrastructure
To make it difficult for an attacker to launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to share traffic between them. If possible, these data centers should be in different countries or different regions of the same country.
3. Configure your network hardware against DDoS attacks
There are plenty of simple hardware configuration changes you can use to help prevent a DDoS attack. For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help block certain DNS and ping-based volumetric attacks.
4. Deploy anti-DDoS hardware and software modules
Your servers should be guarded by network firewalls and more specialized web application firewalls, and you should plausibly use load balancers as well. Many hardware vendors now include software security against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.
5. Deploy a DDoS security appliance
Many security merchants including NetScout Arbor, Fortinet, Check Point, Cisco, and Radware offer devices that sit in front of network firewalls and are intended to block DDoS attacks before they can take effect.
They do this by utilizing a number of techniques, including sending out traffic behavioral baselining and then blocking unusual traffic and obstructing traffic based on known attack signatures.
6. Defend your DNS servers
Don't forget that a hacker may be able to make your web servers offline by DDoSing your DNS servers. For that purpose, it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world.