In this final part of our series of articles about DDoS, we’re going to take a look at how an organization should approach the issue of setting up DDoS defences, including carefully considering the architecture of an online service and choosing a security provider.
The importance of Architecture
DDoS protection alone does not guarantee the availability of your resources in the event of an attack. Too often, the problem does not lie in “bad” DDoS protection, but in the poor architecture of the Internet service itself.
For example, imagine that an online store suddenly discovers that their e-commerce platform is unavailable for customers. Turns out, that after activating the anti-DDoS service, the old address of the server where the e-commerce service had been deployed was still available. This left hackers lots of opportunities to launch an attack using the old address. After the hosting provider “closed” this address for outside access through TCP ports 80 and 443, the defense mechanism carried out over HTTP finally kicked in. However, after some time, other DDoS attacks led to denial of service once again. The attacker scanned the server ports and found out that port 22 (SSH) was still open and exploited this vulnerability. To protect the client, the hosting provider moved the e-commerce service to another server. But even here, attacks successfully resumed after a brief pause. The address of the new server could be easily found from email headers.
You should choose a provider that delivers 24/7 protection. It is not uncommon for threat actors to launch attacks at night, relying on the fact that security specialists will not react in time.
If the service is critical, we recommend that you systematically check its performance by organizing stress tests. This will make sure that an attack won’t catch you by surprise. In the end, protection can be turned off by mistake, for example, during debugging: you will be paying for protection, thinking that the resource is secure, while in reality the defense system will need a long time to re-activate.
What’s more, when it comes to the security and accessibility of a website or other Internet application, make sure to go through the following steps:
- Change the IP address when connecting external anti-DDoS protection. If that’s not possible, at least “close” the request processing from all IP addresses, other than those, given by the protection service provider.
- If a service is critical, purchase or rent efficient, and, if possible, dedicated hosting. This will ensure that an attack targeted at a different website hosted on the same server won’t cause your website to become unavailable. Provide redundancy for resources and bandwidth to reduce the likelihood of failure.
- To reduce the likelihood of failure when one or more IP addresses are under attack, utilize all available addresses, distributing them between services or users.
- Notify the security provider about the purpose of each IP address. This will help them build a tailored defense against DDoS attacks.
- When connecting network protection via BGP, remember that hackers can easily trace to a DDoS security provider and find out the junction IP address, which is usually unprotected and therefore vulnerable to DDoS attacks. Therefore, close the junction IP addresses, firstly, using an ACL, and, secondly, hide them from tracing both from outside and inside the network.
Put yourself in the attacker’s shoes when setting up DDoS protection: if you were the hacker, how would you approach cracking the defense system? Eliminate all the vulnerabilities you find and thoroughly test the service. You need to be sure that it can withstand attacks in the real world.
Choosing a Supplier: What to Think About and What to Ask
Today, there is a huge range of DDoS protection services to choose from. Companies that specialize in information security and many hosting providers or data centers often have at least some kind of DDoS protection services in their portfolio. However, not all available options are high-quality.
When choosing a provider, make sure to ask about the following:
- Where are the servers of the security service located? In the best-case scenario, they should be in the same geographical zone as your company’s servers, or servers of your customers. Also, check the connectivity if you are working with an operator abroad. Try pinging the resources protected by the provider from different locations (this can be done using services like https://bgp.he.net and https://ping.pe).
- How long has the company been working in DDoS protection? Does it specialize in these services? Google that company. This will help you understand how actively it participates in the life of the cybersecurity community and whether it brings innovations. Information like this is a great way to find out whether the company can cope with a non-standard situation.
- How good is the technical support team? How quickly do they respond to technical support issues? To ensure the high availability of your resource, tech support should work around the clock, seven days a week, responding promptly to your requests and, of course, to attacks, whenever they begin. Availability of various communication channels is a plus. If the company providers support over the phone or online chat, your urgent issues will be resolved faster.
- Are they working with iconic clients? The more famous companies are among their clients, the higher quality service you can expect. If you have connections with a brand the company is protecting, try reaching out to collect feedback about the quality of DDoS protection.
- Test the service and check how the protection works and how quickly the support team responds. If you can’t organize a full-fledged stress test, you can launch test-attacks using free tools available on the internet. Monitor your resources for the duration of the test — this will show how a company will handle a real attack if you ever become a target of one.
- What is the cost? Find out if the provider has any hidden payments. For example, do they charge extra for larger attack volumes or numbers? Never agree to such payments, since you can’t control who, how, when, and in what volume might attack your website.
Remember that DDoS protection is a serious matter, and therefore the protection provider must be chosen with the utmost care.
Last but not least, keep in mind that protection service is not a “magic wand”. Regardless of how effective the solution is, if your service architecture is sub-par from the information security stand point, defending against attacks will be that much more difficult. DDoS protection is a complex topic: it is a real test of professionalism, not only of the DDoS protection service employees, but also your own IT team — system administrators, software developers, and, of course, information security experts.