Ajay Kumar, CISM, CCSK, ISO 27001 LA
Distributed denial of service (DDoS) is one of the most diffused types of cyberattacks and represents a great concern for governments and enterprises today. These attacks are an insidious foe to Internet service providers (ISPs) as these businesses depend on the availability of their web sites for critical business functions and productivity. My recent ISACA Journal article
focuses on the types of DDoS attacks, the trend and changing frequency, the business impact and countermeasures that organizations can take to prevent successful DDoS attacks, and building a strategic approach to defend against this growing cyberthreat.
Given the extraordinary and rapid changes in DDoS attack techniques, traditional DDoS mitigation solutions (e.g., bandwidth provisioning, firewall and intrusion prevention systems) are no longer sufficient to detect and protect an organization’s network or applications from sophisticated DDoS attacks.
The most cost-effective approach to mitigate DDoS attacks is to have the ISP detect and mitigate attacks before they reach the organization’s Internet-facing resources (e.g., web servers or email servers).
In addition, there are many organizations that provide services for DDoS mitigation. Their offerings include such things as DNS redirection to Boarder Gateway Protocol (BGP) route changes to have inbounded Internet traffic flow through them so that they can detect the attacks and perform scrubbing/filtering in their Internet data centers, resulting in their customers’ getting filtered and clean Internet traffic.
Various security vendors provide appliance-based solutions to defend against DDoS attacks. The devices detect and provide protection from a broad array of DDoS attacks. Many vendors claim solutions with different appliance models and offer throughput ranging from 12 Mbps to enterprise-class solutions. As DDoS threats evolve, these solutions from specialized vendors are likely to respond faster with innovative solutions than vendors that offer basic DDoS protection embedded in firewall and ISP devices.