If your enterprise is evaluating DDoS mitigation solutions, it is helpful to have a checklist of criteria to assist you in making comparisons of the DDoS solution options. We hope that this posting assists you in providing these important points to consider:
• Global Anycast Network: Scrubbing centers must be Anycast to mitigate large volumetric attacks.
• Geographically dispersed Scrubbing Centers, depending on your customer base locations.
• The DDoS Infrastructure should utilize redundant components.
• Infrastructure should have an availability of > 99%
• Legitimate traffic redirected to scrubbing centers must not be dropped.
• Packet loss for clean traffic should be less than 0.1%
• When a DDoS attacks occurs, the mitigation action must not take longer than 15 min to start from the time traffic is diverted to the scrubbing center.
The DDos solution should:
- Provide a defined process, with steps to mitigate and escalation contact details must be published.
- Be able to scrub up to 100Gbps of DDoS traffic at each scrubbing center.
- Not require client to purchase additional ISP bandwidth.
- Update DDoS threat signatures regularly within the DDoS monitoring and scrubbing function.
- Update DDoS threat signatures (known DDoS attack patterns) within 2 hours of their announcement.
- Allow you to redirect prefixes of varying size for DDoS scrubbing.
- Allow for redirection of all traffic related to a specific IPv4 prefixes (size /24) to scrubbing centers.
- Not be dependent on any specific ISP.
- Not rely on passing ACL rules upstream to ISP providers.
- Have DDoS scrub centers connected to at least two tier-1 ISPs.
- Be able to monitor and mitigate application layer protocols that include HTTP, HTTPS, SSL, FTP, SFTP etc.
- Be able to monitor and mitigate encrypted packets based attacks.
- Automatically mitigate detected threats without human intervention or “Firefighting”.
- Provide client managed recipient list of notification of when attacks occur and are mitigated.
Your DDoS solution MUST offer detection and mitigation solution for threats at OSI layers 3-7, and MUST not be confined to layers 3-4 only. The minimum threats should include but not limited to:
- ICMP Flood
- SYN Flood
- Ping of Death
- HTTP & HTTPS Attacks
- Fragmented Packet Attacks
- DNS Server Attacks
- Smurf
- Teardrop
- Low-Rate DoS Attacks
- Permanent DoS Attacks
- Nuke Attacks
- Slowloris
- Peer-to-Peer Attacks
- Application level floods
- Zero-Day DDoS Attacks
The DDoS solution MUST be able to detect and mitigate the below type of attacks:
- Volume based attacks
- Protocol Attacks
- Application Layer Attacks
Any DDoS detection equipment associated with the deployment SHOULD be provided as a supplier managed appliance and billed as a service. You may think that you want to manage this yourself, but think again! This is a resource intensive task, if you do it correctly.
The DDoS solution must provide easily accessible statistics:
- Statistics must be readily available on demand or via portal based system describing the level of DDoS activity detected, and mitigated.
- DDoS flow statistics should be supplied monthly.
- DDoS statistics should be communicated via email and via the ‘portal’.
- DDoS statistics history should be available to client for view on demand.
Consider the value of outside experts to assist your enterprise in selecting the ideal DDoS solution for your requirements. Contact SASE Experts today to learn more.
Other postings about DDoS Mitigation:
DDoS Mitigation Solution Differences
DDoS Mitigation Attacks – Important Prevention Tips
