Building a defense against DDoS attacks

One Against All

Commercial DDoS Protection

Numerous commercial providers also offer turnkey DDoS safeguards with support, logging, and alerting. These solutions range from cloud-based approaches to hardware appliances, which are usually integrated into the data center as firewall extensions.

For example, industry giant Cloudflare offers DDoS web protection with its application services, which works exactly like vDDoS when viewed from the outside. Under the hood, a reverse proxy receives and examines the access requests and forwards the legitimate traffic to the server with the content. For this method to work, the DNS entry for your website must point to the Cloudflare server. Note that your web server is only allowed to accept requests from Cloudflare, otherwise the DDoS protection is ineffective.

The advantage is that Cloudflare and comparable offerings seem to have more bandwidth in reserve than the attackers have been able to muster (thus far). Anyone expecting attacks in the multidigit gigabit per second range is well advised to use a commercial provider. Fun fact: This solution works so well that even the bad guys with their illegal web portals use it to protect themselves against even more evil villains.

Conclusions

In addition to ransomware attacks, DDoS attacks pose major challenges for companies. This foray through the defense arsenal from the open source world reveals a couple of highlights. The basic service begins with a hardened operating system followed by a security check, which is again followed by guard tools that keep an eye on logfiles, detect failed login attempts, and automatically create rules for the local firewall. Finally, websites can be protected against a flood of requests with various image puzzles in the form of captchas.

In larger environments, the DDoS sensor is located well away from the server farm and receives traffic information from routers and switches. If the throughput rates of individual clients are unusually high, the block is sent to the provider routers by a BGP update, and the game is over for the attacker. If these tools and tricks involve too much manual work or you anticipate massive DDoS attacks, the same protections are also available from commercial providers.

The Author

Markus Stubbig is a networking engineer who has worked in the IT industry for 20 years. His strong focus is on design and implementation of campus networks around the world.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus