Best Practices for DDoS Mitigation Strategies

Free Stock photos by Vecteezy


Distributed Denial of Service (DDoS) attacks come suddenly, with no warning, and can incapacitate a company or organization just as suddenly. While we’ve learned a great deal about the types and flavors of DDoS attacks, not enough has been researched and written on how best to mitigate the risks of DDoS attacks.

This has been a top priority for the operators of research and academic networks. National Research & Education Networks (NRENs), like IUCC, are tasked with the responsibility of keeping academic and scientific research humming all over the world.

I have been part of a GÉANT GN4-3 research team studying the current methods of detecting and mitigating Distributed Denial of Service (DDoS) attacks to help NRENs identify areas that need to be changed or improved in their DDoS mitigation strategies.

NREN networks are a great testbed for studying methods and techniques since research traffic patterns are very diverse. This makes strict thresholds for DDoS detection or mitigation techniques less effective and requires NRENs to invest more effort in network-related configurations and documentation. So a lot can be learned from the types of solutions deployed relatively successfully in NREN environments, in terms of risk mitigation and network planning and deployment in other environments – like industry and service provision.

Part of our research involved a comprehensive survey on existing systems and processes used by NRENs to battle DDoS attacks. Like systems based on NetFlow (or comparable technologies, e.g. sFlow and IPFIX), network taps (physical and logical), and router command-line interface (CLI) queries.

We also reviewed techniques for mitigating DDoS attacks, including remotely triggered black hole (RTBH), access control list (ACL), anti-spoofing, rate limiting, application/server-level mitigation, flowspec, Border Gateway Protocol (BGP) diversion, distributing assets, reducing attack surface and external DDoS mitigation, such as cloud-based solutions.  A lot of work has been done on redirecting traffic and services vulnerable to attack outside the organization’s own network via external cloud-based mitigators. But even this is not foolproof, and services might still be affected to some degree.

Whatever the technical solution, or solutions, an organization or company selects, it is imperative that processes for notifications, alerts and delegating responsibilities be set up in advance.

Mitigating the risk of DDoS attacks is certainly not easy. There is no “magic pill” single solution. And while it may be comforting to believe that the right combination of several techniques and solutions can minimize attacks, in the end, if bad guys want to attack your network – they will.

Given this, it is expected that the best way to mitigate the risk of DDoS attacks is to take them into account in all aspects of network and capacity planning – before beginning implementation. This, alongside rapid communications between all the affected stakeholders and an overall good awareness of general network topology, are key.

For service providers and enterprises who wish to learn more about the recommended guidelines on what methods exist today to determine whether you are under DDoS attack and how to mitigate those attacks, the full paper is available at: