I'm still no better informed as to how to protect against DDoS attacks....
DDoS attacks: For the hell of it or targeted – how do you see them off?
Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative. DDoS attacks can be massive, in some cases …
COMMENTS
-
-
Thursday 22nd September 2016 10:39 GMT astrax
Mitigation misnomer
Ironically, non-direct effects of DDoS attacks are pretty common. For example, one may experience intermittent packet loss due to an attack on another one of your ISP's customers who happen to share the same DC Router as you. In those instances, it is very unlikely that either an in-line or out of band solution would kick in. That's why I genuinely believe that unless your company has some *serious* bandwidth using multiple ISPs, the only realistic form of mitigation is upstream at the ISP level.
Dropping attack packets is all well and good, dealing with pipe saturation with limited network resources is a different ball game entirely. The priority of any DDoS mitigation technique should be the preservation of legitimate traffic rather than the elimination of attack packets. Yes, you can't achieve the former without the addressing latter, but there are other factors to consider too (diverse routing, geographically diverse hosting etc).
-
Thursday 22nd September 2016 11:02 GMT IanCa
not the best explained article
was half expecting a sales pitch at the end from one of the on-premises (inline) anti-ddos box vendors at the end.
as per astrax, its only worth doing on-premises / inline mitigation, if you have enough raw upstream bandwidth to be able to handle a volumetric attack. i..e you either are a decent size ISP, or an enterprise with LOTS of upstream (which do exist, I work at one). OR, you adopt a split strategy - on premises / always on for low/slow, upstream either in your ISP , or offload (e.g bgp redirect) for high volume.
-
-
-
Thursday 22nd September 2016 19:10 GMT Tabor
Re: Cloud-based DDoS defences introduce delays
Routers and DNS servers ? The "and so on" might include web servers. Often poorly secured, or vulnerable in other ways (sql injection is still a thing unfortunately) and ideal to start a DDOS attack from. Because usually in a DC, and with a big upstream pipe...
-