A distributed denial-of-service attack (DDoS) is one of the toughest foes a website can face and one of the most high-profile cyber security threats of 2018. Companies, governments and political organizations are often targeted, and many times the hackers seek "credit". In spite of this, most cyber assaults against large sites are foiled and aren't widely reported. For users and website owners, those unreported cyber attacks are just noise under their radar.
Verizon Digital Media Services’ security team, pays close attention to DDoS attacks, in part because there are so many of them. We see small ones every day, with an average amount of 150,000 connects per second. Those are easily managed. It's when we see millions of connects per second that we have to enforce aggressive DDoS best practices.
We're able to mitigate most cyber attacks on our customers’ sites, but we try our best to remain strategically vague when discussing our DDoS best practices. This helps us prevent educating hackers. Read on to learn about five DDoS best practices that will help you reduce the frequency and intensity of distributed denial-of-service attacks against your site.
DDoS best practices #1: Assume your website is always under cyber attack.
- Due to the size and scale of the internet and the countermeasures that the good guys have put into place, more than 99% of the time, a DDoS attack doesn't have a major effect; once in a while there's a massive onslaught that does. So, why are there so many cybersecurity threats? Because standard internet practices make it easy. For example, reverse path filtering is turned off by default on most routers. Since DDoS attacks tend to come from spoofed IP addresses, turning on reverse path filtering at the ISP level (customers can't do it themselves) can be an effective way of countering them. And spoofed IP addresses make up only one category. There are many different types of DDoS attacks (DNS, http, etc.). Make sure your defenses account for all types of cyber threats.
- DDoS best practices #2: Be vigilant against phishing.
It's a lot easier to launch a cyber attack if you have keys to the target. Phishing is a highly effective way to gain website credentials. Needless to say, that's important for stopping DDoS attacks and more. When the satirical website The Onion had its Twitter compromised, their engineers posted a useful, transparent report of how that happened, including a useful "don't let this happen to you" list of bullet points for staying phish-free.
- DDoS best practices #3: Get additional cybersecurity with a content delivery network (CDN).
This is just practical advice, regardless of the fact that Verizon Digital Media Services is in the CDN business. Many people think of CDNs primarily as a way to deliver content more quickly – and it is –but another major benefit of signing up with a CDN is that it offers you additional layers of protection. The distributed nature of a CDN also helps absorb DDoS attacks. And CDNs monitor their networks 24 x 7, with both automatic and manual resources in place to reduce the impact of cyber attacks. Working with a CDN can relieve the worry and frustration of incessant security breaches.
- DDoS best practices #4: How your website distributes content can determine your vulnerability to DDoS attacks.
If you utilize a CDN, you must without exception secure all of your content on the CDN. We find customers can run into problems when they publish nearly all of their content on a CDN, but for some reason put 2 percent or so of their public-facing content on a static server. A savvy cyber attack can target the 2 percent of content hanging out there and crash the whole website. How a site distributes content is quite important.
- DDoS best practices #5: Audit your DDoS mitigation techniques regularly.
Don't let cyber attacks be the first opportunity you take to test your defenses. Auditing makes sure your DDoS mitigation techniques work as expected. And you may want to have a cloud-based security provider manage this – it's a way to make sure you're ready for the 3 a.m. strike without being awake yourself.
Remember, the first rule of thumb is not to talk specifics about your DDoS technique. The daily operational success of your website will show how good a job you’re doing, but vigilance, plus adoption of the DDoS best practices above, make it a lot easier for engineers to keep your websites secure.
Contact us to learn how our DDoS protection can secure your websites against cybersecurity threats 24 x 7 or download the fact sheet.