Protecting infrastructure elements against DoS and DDoS attacks

Michael Donner, Prolexic’s SVP and chief marketing officer explains DDoS attacks

Tags: Prolexic (www.prolexic.com)
  • E-Mail
Protecting infrastructure elements against DoS and DDoS attacks Michael Donner from Prolexic says that DDoS attackers are scrutinising enterprise infrastructure for weaknesses.
By  Michael Donner Published  January 29, 2013

Michael Donner, Prolexic’s SVP and chief marketing officer explains DDoS attacks.

Distributed denial of service (DDoS) attacks that target infrastructure are designed to stress the bandwidth and/or packet processing thresholds of a network, backbone or the devices and elements on that network. Devices and elements may include routers, switches, firewalls, and Intrusion Detection Systems (IDS) as well as Intrusion Protection Systems (IPS).

Infrastructure DDoS denial of service attacks are usually well planned before they are executed. Like any malicious predator, an intelligent DDoS attacker will first observe and test the victim’s infrastructure to uncover all possible weaknesses. For example, the attacker may use one of the latest DDoS toolkits to quickly determine the weakest links that can be brought down with the fewest attack resources from the attacker’s network. Armed with this knowledge, the attacker can easily and quickly design and execute a devastating DDoS denial of service attack on those weak infrastructure elements. For example, a firewall that has 10 Gbps ports, but is configured to inspect only 2 Gbps of traffic, can be overwhelmed if infrastructure attack traffic exceeds the 2 Gbps inspection threshold.

DDoS protection strategies

DDoS attackers are scrutinising your infrastructure for weaknesses. Beat them to the punch and arm yourself with the knowledge of what your infrastructure elements can and cannot handle for the various types of DDoS denial of service attacks. Look at your infrastructure as a whole to determine where weaknesses and flaws exist. In addition, determine the maximum request capabilities of each element. Most critically, know the answer to this question: Where is the first place your infrastructure would fail when under a DDoS attack?

Next, determine which infrastructure element thresholds to monitor based on your knowledge of how various types of denial of service attacks would affect your infrastructure at any point. Ideally, you will want to monitor every element, but with emphasis on the weakest links. Again, it is critical to know the maximum capacity of your infrastructure elements in terms of packets-per-second and bits-per-second to ensure that any internal DDoS monitoring services you deploy will alert you to attacks and leave you time to act. Ideally, you will end up with a clear infrastructure map that will show how all application traffic traverses the network and how each element could be affected by DDoS attacks.

Flow-based monitoring is a best practice for providing alerts for DDoS attacks targeting infrastructure elements and most DDoS mitigation providers offer this today. For example, Prolexic’s PLXfbm flow-based monitoring solution is designed to provide early detection and notification of DDoS attacks by directly monitoring a customer’s edge routers.  Ideally, flow-based monitoring should be used in conjunction with an application-based monitoring service like PLXabm, which alerts on Layer 7 (application layer) abuses to HTTP and HTTPS traffic. This combination of monitoring tools provides close monitoring of DDoS attacks targeting the network, backbone or the devices and elements on the network. As a result, organisations can limit downtime and the financial impact of DDoS attacks.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code