Effectively ward off DDoS attacks

Distributed denial-of-service attacks (DDoS) are a nuisance to companies that rely on web applications. We'll show you how to protect yourself from these cyber-attacks.
Those who want to ward off DDoS attacks should pay attention to the following points:

Analyse protection needs:

Before you decide on a solution to protect against DDoS attacks, you should analyse the protection needs of your company. The decisive factor is which systems your company can use over the Internet, how critical the associated business processes are and what impact their outages would have. A system or network failure caused by a DDoS attack lasts an average of twelve hours. What exactly does that mean for the business - for example, if the website is unavailable for a day? What costs would your company incur?

Consider type of attack:

The different types of DDoS attacks also play a role in the protection needs analysis. In addition to large-scale volumetric attacks, in which the attacker bombards the line until it is full, so-called multi-vector tactics are becoming increasingly prevalent, bombarding various corporate platforms simultaneously with requests.
Both types of attack require that the attacker's system has more bandwidth than the victim's system. Often these are distraction manoeuvres: While the IT department tries to cope with the so-called flooding of the Internet connection, the attacker, for example, gains access to company data via vulnerability in the network.
But even low-bandwidth attacks can do damage. An example is connection attacks, where the attacker simulates the constant establishment of TCP connections to the target system. Increasingly, attacks at the application level also occur, for example by the attacker constantly trying to log in with incorrect log-in data. Since the backend is constantly busy checking the log-in information, the application eventually crashes. Application level attacks require less bandwidth. As a result, they can be performed more slowly and are much harder to recognize.

Evaluate protection:

For DDoS protection, you need Internet access protection that filters out attack traffic and forwards only "clean" data. Depending on the need for protection, the variants "on-premise" or "in the cloud" are recommended here. If you want to be sure, invest in a solution that combines both variants.

• On-Premise: Here an appliance is installed in the Internet - either directly in your company or in the backbone of your provider. This appliance filters out much of the traffic - much like a specialized virus scanner. The advantage: The protection takes effect immediately and requires no changes to the network. However, the on-premise variant is not suitable for large volumetric attacks. Here, the upstream provider is quickly so busy that the attack traffic does not reach the appliance.

• In the Cloud: With this variant, attacks can be intercepted as close to their starting point as possible and thus filter out a large part of the attacks. Depending on how comprehensive the protection should be, the cloud variant is available in two options: To protect individual servers, the company's DNS entry is converted into a virtual address. Inbound traffic is checked and only forwarded to the company if it is "clean". To completely secure a network, the data traffic is transmitted to the proxy server provider via the BGP (Border Gateway Protocol) routing protocol ; the clean traffic is routed to the company via a generic routing encapsulation ( GRE) tunnel . With Cloud solutions can also effectively intercept large attacks. They are usually offered as on-demand solutions: As soon as suspected of a DDoS attack, the company causes a corresponding diversion of its data. The downside: manual intervention in the network configuration is required. As a result, the protection takes only a few minutes delay. 

• Additional security is provided by specialized monitoring solutions that examine network traffic for typical patterns of DDoS attacks.