Cloud Based DDoS Mitigation
If you can afford it, ensure that your Internet Service Provider gives you a clean pipe using cloud based DDoS mitigation. If you use multiple links, ensure that both links are protected.

There is always a signficant amount of residual DDoS that will flow through. That's why you need a DDoS mitigation system in your network to handle the remainder of the attack.

IntruGuard helps cloud service providers with solutions for DDoS attack mitigation as well.

If your service provider doesn't provide DDoS attack mitigation services, you must take care of your own network to avoid collateral and other damages.

Edge Router Access Control Lists
Access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks.

Robust edge routers provide a robust data center infrastructure. They are the key to a solid foundation. Their high performance makes them sustain large DDoS attacks without performance loss. Juniper Routers provide the ability to perform packet-filtering and black-hole routing combined with Traffic Flow Filtering capability data center administrator today use primarily two methods to mitigate attacks once they have been discovered by the NOC; packet filters, and black-hole routing. Packet filters, also referred to as firewall filters or access control lists, are set in the edge routers to rate limit or discard traffic being sent to or from specific IP addresses. Packet filtering in edge routers is useful when you know the cause and the source of DDoS and can apply it without affecting legitimate traffic.

Black-hole routing in edge routers has been used in the past for DDoS mitigation. But it effectively denies all traffic towards the victim. This is one of the major shortcomings in black-hole routing. It is still a good weapon to keep in reserve when nothing else seems to work.

Traffic Flow Filters in edge routers are a better alternative to black-hole routing. They cleanly separate the filtering and forwarding information. This simplifies the operation and limits the risk of configuration mistakes. Using BGP, all inter AS routing information is exchanged between service providers. MP-BGP is exclusively used to exchange VPN routing information, and many service providers use iBGP for intra AS routing updates as well. This helps the service providers to user BGP running on edge routers to exchange traffic flow filter for DDoS mitigation.

DDoS Mitigation Using DDoS Mitigation Hardware Appliances

Visibility in the network is the next important key to DDoS mitigation. The administrators need to know what services are running on their network, where the most traffic is, where the excess bandwidth is, whether there is a worm outbreak, whether there is a non-mission-critical large file download causing outage to mission-critical services, and so on. Administrators need to identify the network slowdown causes. For network planning purposes, they need to gain visibility into inventory, dependency and usage of the network. They must be able to leverage visibility into the network to improve consolidation, segmentation and disaster recovery planning projects. This will help them budget cost allocation for network resources.

This approach not only improves the performance of the physical network, but it gives administrators the flexibility and insight they need to introduce new services and create new revenue opportunities. Visibility into the network helps administrators by providing a clear understanding of the nature of all traffic flows crossing the network, through inspection of the packets on the network.

IntruGuard’s IG2000 helps monitor and control network activity, helping administrators optimize the network

for long-term service improvements and mitigate short-term problems before they impact service levels. It collects usage statistics on a continuous basis, offering real-time visibility into all aspects of the network. This helps network administrators understand the past and the present, as well as make intelligent forecasts on future behaviors to preempt potential network issues. The devices can report on abnormal phenomena as they happen and automatically mitigate them and maintain service levels.

The IG2000 provides visibility of the network traffic at the highest level of granularity in the industry. Packet rates in two directions to different network segments for various network Layer 2, 3 and 4 header parameters are available for visualization and control of bandwidth or access.

With this kind of granularity shown over historic and current data, the administrator and operations person can easily spot deviations. The system maintains a dynamic baseline based on past average, trends and seasonality for each of the preceding and can easily take actions to prevent overages.
This visibility and past and present reporting is useful for compliance reporting such as Sarbanes Oxley (SoX).

A full year’s worth of traffic and event information is archived in the system for reporting purpose.
After granular visibility comes the automated mitigation. IG2000 provides automated mitigation from slow, fast, stealth, non-stealth, spoofed and non-spoofed attacks. These include such common attacks as SYN flood, botnet floods, port floods, fragment floods, ICMP floods and so on. Besides mitigating attacks, the systems report the attack events and their details via easy-to-use GUI, SNMP traps or email/pager notifications. Easy-to-interpret management reports summarize the past incidents at a macro level.

This DoS mitigation exceeds the PCI DSS Level 3 vulnerability requirements for compliance reporting besides meeting and exceeding all requirements for scans such as dark address scans. In addition, requirements related to all header and state anomalies are met and exceeded.
A large DDoS attack can easily overwhelm most mission critical servers and firewalls, it is clear that presence of a clean pipe solution helps the subsequent infrastructure which includes the network and node protection infrastructure.

Firewalls
Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy.

Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known). Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.

Their ability to hide private networks using Network Address Translation (NAT) is extremely valuable in network security architecture.

Intrusion Detection, Prevention (IDP) Systems

Using IDP, the administrators can secure the data center network from sophisticated attacks and improve the overall security stance of the network.

IPS technology applies a deeper level of application understanding to the traffic to make access control decisions based on the intent of that traffic. Deployed at the traditional security perimeter, a Juniper Networks Deep Inspection firewall focuses on preventing application-level attacks aimed at commonly used protocols. As a true IPS, Deep Inspection eliminates application-level ambiguities, performing de-fragmentation, reassembly, scrubbing and normalization, to convert network packets to the application-level message being transferred between the client and the server. It then looks for protocol conformance and extracts data from identified application "service fields" where attacks are perpetrated and applies attack pattern matches. It then decides to accept or deny the traffic based on high impact protocol anomalies or any given attack pattern in one of these application service fields. Unlike some IDS offerings masquerading as an IPS, Deep Inspection can take any one of seven different decisive actions against an attack to stop application-level attacks at the Internet gateway so they never reach their destination. For high speed perimeter and internal network environments where performance and attack protection demands dictate that an integrated solution is the ideal approach. With integrated, best-in-class Intrusion Detection and Prevention (IDP)—stops worms, Trojans, Spyware, malware and other emerging attacks from penetrating and proliferating across the network.