Connect with us

Hi, what are you looking for?


Security Infrastructure

Protecting Your Network From DoS Attacks

When it Comes to DDoS Attacks, it’s Important to Remember That There Will Likely Never be a Single Silver Bullet.

When it Comes to DDoS Attacks, it’s Important to Remember That There Will Likely Never be a Single Silver Bullet.

Denial-of-Service (DoS) and Distributed Denial-of-Service Attacks (DDoS) are increasingly common problems for enterprise networks. DDoS campaigns are commonly used by hacktivists to embarrass or otherwise disrupt a target company or government agency. Unfortunately, the problem isn’t limited to hacktivist groups. Botnets controlled by criminal groups can recruit thousands and even millions of infected machines to join in a truly global DDoS attack, enabling the gang to essentially extort a ransom from the target network in order to stop the attack.

Stopping DDoS AttacksRegardless of the source, defending a network from these DDoS attacks has become an integral part of any IT threat prevention strategy. Defending a network from these sorts of attacks can be particularly challenging in that it requires a layered strategy that integrates multiple types of technology, both inside and outside of an enterprise.

In this column we will take a brief look at some anti-DDoS best practices and what an overall DDoS strategy could look like.

Begin Upstream

For many of us in network security, we often think of layered defenses beginning at the perimeter, and this works well for stopping exploits, malware and the like. However DDoS attacks are fundamentally about volume, and as such you want to start to staunch the flood of DDoS traffic as far upstream as possible. In this regard ISPs are increasingly important partners in the fight against DDoS attacks. ISPs can monitor Internet links and filter or black hole traffic to keep DDoS traffic from ever reaching the customer network in the first place. This requires IT to develop a working relationship with their ISP to fully understand what services they can provide, and then to build out a DDoS mitigation plan. The important lesson here, is don’t wait until you are in the midst of an attack. Know your contacts and the process for engaging with your ISP and how to escalate problems as needed.

Think Globally

At the risk of being obvious, one of the big challenges of dealing with a distributed denial-of-service attack is the fact that the attack is…distributed. There isn’t one lone IP address to ignore – there are thousands and thousands of machines around the world that are recruited into the attack, typically as part of a botnet. A potential option is to deny or limit traffic by policy coming from countries where you don’t do business. This wouldn’t solve the DDoS problem by itself obviously, but it could help reduce the footprint of an attack.

Advertisement. Scroll to continue reading.

DDoS Policies

Of course, DoS attempts will eventually end up on your doorstep, and you will need to repel the attack and protect your assets. This is where DoS protection policies in a modern firewall are particularly powerful.

These rules target the various types of traffic floods such as SYN floods, UDP, and ICMP floods. You should also set rules for the maximum number of concurrent sessions to ensure that sessions can’t overwhelm resources. The ability to set thresholds is relatively simple. The key is to tune policies to look not only at the network as a whole, but also to establish more targeted thresholds for individual critical assets and IP addresses.

As an example, you may want to set an overall ceiling of SYN packets that should be allowed an entire network segment. However, you would also want to create a more targeted rule that specifies the total SYN packets that should be allowed going to a specific IP address on a critical server interface. By combining aggregate and specific DoS protections you can build in a great deal of protection not only for the network in general but also the critical systems and services that the network can’t live without.

Detection of DDoS Tools

The next step is identify and block DDoS tools used by attackers. Hacktivist groups will often rely on very simple tools or easily distributable scripts that can be used by users with basic computer skills. LOIC (the low-orbit ion cannon) has been a popular tool in various Anonymous projects as well as other hacktivist operations. Investigate your IPS and firewall solutions to ensure they can identify and block attacks driven by LOIC, Trinoo and related tools.

Controlling Botnets to Control DDoS

While it’s paramount to be prepared for the DDoS against your network, its also important to ensure that your network doesn’t contribute to an attack elsewhere. Many DDoS attacks are the work of botnets that leverage an army of infected machines to send traffic to a specific source. Finding machines that are infected by a botnet and blocking the all important command-and-control traffic will benefit your security in a number ways, and in the process will ensure that you are not an unwitting contributor to a DDoS attack.

When it comes to DDoS it’s always important to remember that there will likely never be a single silver bullet. Stopping DDoS attacks requires a blend of strong local security controls as well as efforts to mitigate the attack upstream. Using these techniques in coordinated way will help you to build an overall approach to coping with a DDoS attack.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.