“If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
Sun Tzu , The Art of War
How to defend against DDOS?
As Sun Tzu said we must know ourself and the enemy. In my previous post i made an introduction to our enemy. If you missed it you can read it here. Now we have an idea about the enemy and we can start to know ourselves. First we need to understand that IT security has a layered approach solution. We can not address all the problems to a single product or layer. When the problem is DDOS the solution must vary from a single firewall to all the way through a cloud scrubbing service.
Know yourself
We should start with preparing an inventory. In that inventory there should be ip adresses that our company uses and their corresponding service ports. This is important because in under a heavy DDOS attack you will know which services are critical and which ones are not. In other words this inventory will both serve you as a knowledge base about your services and let you know the unused ip adresses. In today’s everchanging IT world, services that no longer used may still be announcing by you to the outer world. That unnecessary announce may come back to you as an amplifed or reflected volumetric attack. To avoid such a situation we will start with preparing an inventory.
What comes next is preparing a DDOS Response Plan. This is also critical because while you are under a DDOS attack who will make the call to stop your network announces to the other countries? Who will be responsible for cooperation with your ISP? Who are your contacts from the ISP side? What will happen if you can not reach them? Questions like this have a critical importance when it comes to DDOS.
Know your ISP
You have your inventory and plan now what? It is time to fix single point of failure issues. If you just have a single ISP and somehow this ISP fails under a DDOS attack, you will fail too. Increase the number of service providers if possible. Learn and discuss their DDOS plan. Know their escalation scheme.
Another common single point of failure point is internet facing network equipments. If your internet facing network equipment has no redundancy you will be down once this equipment went down.
Do i need an on premise DDOS solution?
It is up to you. What i mean from this is how much risk you are willing to take? If you are an e-commerce firm which must have a higher availability the answer will be yes. If you are financial institution again the answer is yes. We can populate the examples but to sum up if you have an internet-facing service, use an on premise DDOS solution. On premise DDOS equipments are really strong and active defence points and if your ISP fails to mitigate on a Volumetric attack it can defend you against that Volumetric attack too at some point.
On premise DDOS devices are stateless while firewall and ISP solutions are statefull. As i said above security has a layered approach solution. On premise DDOS devices represents the Availability in Confidentiality, Integrity and Availability triad. It protects your network equipments from DDOS attacks as a result gives you Availability.
“Peace at Home, Peace in the World!”
Mustafa Kemal Ataturk
Great leaders are the farsighted ones. If you can not peace inside your network you can not defence it to the outer world. In order to make peace you must know your weak points, you must have a solid playbook (a.k.a. DDOS response plan) , you must avoid design failures and finally you must harden your weak points. This is not a one time job. Since network is a living being all the changes that is occuring in the network or the services itself will also effect your ddos solution. You must regularly check up the spots.
We still not know ourselves. We are just have a better awareness. Next post will mainly be about our enemies. We also continue to know ourselves. I will try to explain the common attack types and their respective mitigation strategies. May the force be with you!
