back to article DDoS attacks: For the hell of it or targeted – how do you see them off?

Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative. DDoS attacks can be massive, in some cases …

  1. A Non e-mouse Silver badge

    I'm still no better informed as to how to protect against DDoS attacks....

    1. Dariskter

      You can use cloudflare CDN

  2. astrax

    Mitigation misnomer

    Ironically, non-direct effects of DDoS attacks are pretty common. For example, one may experience intermittent packet loss due to an attack on another one of your ISP's customers who happen to share the same DC Router as you. In those instances, it is very unlikely that either an in-line or out of band solution would kick in. That's why I genuinely believe that unless your company has some *serious* bandwidth using multiple ISPs, the only realistic form of mitigation is upstream at the ISP level.

    Dropping attack packets is all well and good, dealing with pipe saturation with limited network resources is a different ball game entirely. The priority of any DDoS mitigation technique should be the preservation of legitimate traffic rather than the elimination of attack packets. Yes, you can't achieve the former without the addressing latter, but there are other factors to consider too (diverse routing, geographically diverse hosting etc).

  3. IanCa

    not the best explained article

    was half expecting a sales pitch at the end from one of the on-premises (inline) anti-ddos box vendors at the end.

    as per astrax, its only worth doing on-premises / inline mitigation, if you have enough raw upstream bandwidth to be able to handle a volumetric attack. i..e you either are a decent size ISP, or an enterprise with LOTS of upstream (which do exist, I work at one). OR, you adopt a split strategy - on premises / always on for low/slow, upstream either in your ISP , or offload (e.g bgp redirect) for high volume.

  4. Walter Bishop Silver badge
    Linux

    Cloud-based DDoS defences introduce delays

    "Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them?"

    Disconnect all those compromised windows desktops out there on the Internet.

    1. Alister Silver badge

      Re: Cloud-based DDoS defences introduce delays

      Disconnect all those compromised windows desktops out there on the Internet.

      And what about all those compromised Linux based routers, and DNS servers, and so on?

      1. NotBob
        Joke

        Re: Cloud-based DDoS defences introduce delays

        Shush!

        If we play our cards right, maybe we can spin this into The Year of Linux on the Desktop

      2. Tabor

        Re: Cloud-based DDoS defences introduce delays

        Routers and DNS servers ? The "and so on" might include web servers. Often poorly secured, or vulnerable in other ways (sql injection is still a thing unfortunately) and ideal to start a DDOS attack from. Because usually in a DC, and with a big upstream pipe...

    2. DJ Smiley

      Re: Cloud-based DDoS defences introduce delays

      Because the two largest ever seen DDoS's were windows boxes right.

      Yeah, exactly. I'm a linux user, but stupid comments like this help no one.

  5. Anonymous Coward
    Anonymous Coward

    I'd add

    DDoS can also be used to mask other aatacks on your systems. Which really emphasizes the need for more rapid detection and notification.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019