Dealing With Distributed Denial of Service Attacks - Working With Your ISP
(Page 4 of 4 )
Taking various steps to filter traffic at the company end is a good start. These filters should be in place and working as a matter of course. But if the traffic between your company and the ISP is saturated by the DDoS attack, it’s time to escalate your defenses. You will need to contact your ISP to help you manage the attack.
The ISP has more bandwidth and is closer to the source of the attack, so they should be able to provide more effective filtering. The ISP will usually filter based on two factors: the source and destination IP addresses of the traffic, and the type of traffic. If there are detection mechanisms in place, these should be able to identify the sources of the attack – and the ISP should be informed.
If you’re lucky, distinct IP addresses can be identified, and the ISP can filter those individually. Sometimes, however, you can’t get a better identifier than another entire network (or even another country). This is in part because many attacks use spoofed packets that don’t reveal their real IP addresses. The ISP will then have to work with those further upstream to figure out where the traffic is coming from. Once the ISP knows what router(s) the traffic is coming from, the owner can be contacted and informed of the situation.
Meanwhile, if the router(s) can’t be immediately identified, some tough decisions may need to be made, and quickly. Again, you and your ISP will need to communicate closely – will the actions that need to be taken block legitimate users out of the network, and if so, how many? Would it be a fair trade-off?
ISPs can also permit certain types of traffic while denying others. This is another reason why it is important to determine which parts of your online presence are most critical to your business. The ISP can then give those services priority, mitigating some of the pain of the DDoS attack.
Sometimes a fix can be easily accomplished, at least temporarily. If the target of the DDoS attack is a single machine, a simple IP address change can end the flood. This is especially helpful for key servers (such as email or database servers) under attack. Another option, which might work for large companies, is to “throw bandwidth” at the attack and wait it out. It is neither the best nor the least expensive solution, but it might provide a temporary fix.
DDoS attacks must be taken seriously. The key is to be prepared in advance: have your detection systems in place, know your normal traffic, and be on good terms with your ISP. The two of you must start the investigation and mitigation as soon as possible once the attack begins. You and your ISP will need to work together. It is a time-consuming process; even a very large company may take several hours to halt an attack. But it can’t be ignored; lack of preparation will only make things much worse. You owe your customers better than that.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |