what brought Sony's Playstation network down could happen to you! (part 2)

finding the best approach for your organization

In order to prevent intrusions on a network, an organization will typically chooses one of the following three approaches: 1) manage a traditional on-premise firewall router solution themselves; 2) install a filtering infrastructure (within their data centers, or external purchase of an ISP’s service) or 3) employ a cloud-based Distributed Denial of Service (DDoS) defense solution. All these approaches have pros and cons, which I will cover below.

approach #1 - traditional on-premise firewall router

This first option is the most basic approach to fight against any DDoS attack, used by most organizations. However, considering the advances of DDoS techniques and methods, this option has limitations in terms of filters, bandwidth and staffing. Speaking of the filter, this type of solution applies indiscriminate basic filtering only. This procedure will be insufficient to accompany rate-limiting on the network and transport layers with the absence of deep-packet inspection which functions to help flag attacks. This approach still utilizes manual detection on most parts leading to sluggish response times in the middle of an attack.

 A firewall router is also weak at its bandwidth and routers support leading to more vulnerable system. Another problem is throughput capacity of the on-premise equipment, which becomes the holdup. Today common attacks are usually scaled at higher speed access than link capacities. According to this article, DDOS attacks are scaling to millions of packets per second whilst a typical high-end border router can only support 70,000 packets per second throughput.

approach #2 – intelligent filtering platform

This approach may be obtained by enterprises deploying it themselves or, in some cases, purchasing the service from your local ISP.

Using this approach, intelligent filters act as an entrance for all internet traffic. The filters apply one or more techniques such as statistical modeling, active challenge validation, deep-packet inspection and rate-based anomaly detection. These techniques are aimed to allowing legitimate traffic to pass through while protecting networks and applications from DDoS attacks.

Though intelligent filtering is more scalable in terms of handling large traffic compared to on-premise solution, you might still realize that this approach does not ensure resilient protection. This approach can’t guarantee the robustness of your system when Internet traffic from several ISPs’ data centers floods your network. This filtering technology may no longer be effective when attacked by the full capacity of attack vectors.

Compared to above on-premises intelligent filtering, your ISP may offer more bandwidth in their DDoS defense solution. They can also scale up to generate greater network capacity; moreover their upstream guarantees such procedures to remove downstream and risks of circuit congestion access.

The flaw in this approach, however, is that your ISP can only protect against DDoS attacks that come through their networks. You will need to deploy multiple intelligent solutions in order to obtain complete DDoS protection which drives up cost and complexities.

approach #3 – cloud-based DDoS protection

For an organization that needs to stay online 24x7, 365 days, both on-premise routers/ firewall protection and intelligent filtering will no longer be sufficient to shield your infrastructure from threatening DDoS attacks. A truly effective solution will need to filter all incoming traffic and eliminate any necessity to utilize multiple solutions for each ISP. The beauty of a cloud-based solution is that it is able to provide cross-ISP correlation to detect and mitigate the impact of recurring attacks. This approach is believed to be the most effective and easily maintained solution. It manages the protection and provides access to dedicated experts in cases of highly sophisticated attacks .

This solution employs large-capacity scrubbing centers and reliable filters equipped with intelligent mitigation tools. Multiple intelligent filtering platforms are now common in this business, augmented with additional proprietary mechanisms that lead to detection of malware in a matter of seconds. This is enabled by the mutual relationships between some providers who set collective alarms for attacks and in particular for new vectors.

The relationships create a cross-sector framework for threat intelligence in order to assist in identifying emerging threats and implementing counter-measures against new attack vectors more quickly and accurately. It is also prudent to make sure that the provider has working relationships with respective security agencies such as the FBI and Interpol in case you decide to take legal actions against the attackers.

appoint the best service provider for DDoS solutions

Considering the potential for losses due to DDoS attacks, organizations should implement appropriate levels of protection against these types of attacks. While cost is still a primary concern in investing in a security solution, you should be actually be looking at the true value of the approach that suits your organization. Although the cost of a cloud-based approach may seem exorbitant initially, be aware of the hidden cost of DDoS protection, which includes an array of operational costs related to maintaining the shield against attacks, plus continued maintenance of infrastructure and expertise to reduce the impact of more sophisticated attacks.

Your decision to outsource DDoS protection will be wise if you carefully select a specialized service provider with a proven track record in DDoS protection. Your organization can benefit from the economies of scale, freeing your staff of unnecessary worry about such attacks, and empowering them to perform high-value projects to support your business growth.

The onus is on you to perform the due diligence or engage a consultant to baseline your company risks against DDoS attacks. Because when the beast comes, you can take it to the bank that it will be fast and furious.

Part 1 of this entry is here.

Kenneth Ho

I was born in Singapore, an island which has a mere population of 5 million people. I truly believe I was born with a purpose to fight criminals in this world. Having failed the entrance test for the Avenger League several times, I joined Orange Business to fight crime in another role as Security Practice in APAC. I'm pinning on the hope that I will be called up for duty to join the Avenger League.