Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 26 of 53

Applying DDoS defenses as the next line of defense protects the entire cloud infrastructure against DDoS attacks. When attacks tar‐ get Domain Name System (DNS) with volumetric or protocol-based attacks, DDoS defenses should be immediately engaged to protect DNS. When attacks begin targeting the networks that support web‐ sites and applications, similar defenses can be engaged to protect the network layer. Finally, when attacks against websites and applica‐ tions are detected, Layer 7 (L7) DDoS mitigation points can be noti‐ fied of the attacks and can be used to thwart them by utilizing L7 DDoS protection layers. To defeat DDoS attacks, organizations must have defenses in place that address each attack at the proper protocol layer. Understanding that DDoS attacks come in many flavors (for example, attacks that take advantage of Layer 3, 4, and 7 vulnerabilities), defenses must be implemented at the appropriate layer. These defenses might include various detection and mitigation algorithms, ACLs, protocol white‐ lists, and IP blacklists. Defensive Line 3: DNS Early on in the internet, organizations first relied on their upstream internet service providers (ISPs) to effectively manage the DNS on their behalf. As organizations became more reliant on the internet for the very success of their online business models, they began hir‐ ing teams of specialists and brought DNS on premises. Measures to oversee equipment failures and circuit outages were adequately implemented; however, some organizations managing DNS com‐ pletely on their own were finding it cost prohibitive and risky. From a web application availability perspective, there is nothing more important than adequately addressing the critical nature of the internet's DNS architecture; an organization that wants to be found on the internet must have a bullet-proof DNS implementation. Implementing managed DNS as the next line of defense focuses on its capacity for ensuring the availability of web applications. Because DNS operates as the single directory service on the internet, without DNS, the internet would cease to provide the tremendous value it does today. Simply put, DNS drives availability, and any threats that would affect availability must be adequately addressed in this line of defense. Defensive Line 3: DNS | 17

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth