DDoS Mitigation

DDoS attacks pose the largest and most likely cyberthreat to availability. Accordingly, mitigating the threat of DDoS attack should be your first priority in maintaining web application availability against security threats. These attacks can leave your websites and applications vulnerable to downtime, reduced performance, and downward-spiraling availability. As noted in Chapter 2, the size and strength of these attacks have been growing exponentially. The vast majority of organizations (if any) cannot realistically maintain availability using in-house resources alone.

Regardless of where your websites are hosted, when an attacker locates the IP address of your origin servers, your organization is vulnerable to being taken offline. However, with web applications specifically, an attacker might not even need to locate the IP address of your server to wreak havoc. Instead, the attacker can focus the attack on the targeted web application, making it unavailable and disrupting a critical service at an inopportune time. This happens often during major events. For example, a number of DDoS attacks were directed at various parts of the Olympics website during the 2018 Winter Olympics. The attacks targeted different parts of the website rather than the whole site and were designed to maximize the impact of the attacks.

Attackers can dramatically lower the availability of your website by launching DDoS attacks designed to overwhelm your servers. Whatever the intent of the attack—hacktivism, a disgruntled employee, extortion, or a competitive attack—your customers and your business suffer. DDoS attacks can swiftly and effectively cripple your business model, taking services and sites down for extended periods of time.

Active Failover

Having an active failover plan in place is critical to meeting your top-priority availability requirements. One single point of failure for DNS means greater risk to your availability, regardless of the cause of that failure, and that’s insufficient for a variety of reasons. If your authoritative DNS server fails, an active failover solution is required to support availability. With a failover in place, you can point activity to the backup servers in active failover mode. This means that your customers or business partners will have seamless uninterrupted service while your team works to address the source of the initial failure.

In the case of DNS, operators have an even more advanced option for DNS failover: the ANYCAST protocol. The ANYCAST protocol is used to automatically redirect traffic to the closest server depending on location, traffic, and destination health. Although ANYCAST is not specific to DNS, it has been adopted by many DNS providers and organizations with complex DNS infrastructure.

Performance and Responsiveness Assurance

Many of the other threats outlined in previous chapters can affect the performance and response times of your web applications at the DNS level, whether these apps are managed in-house or reside with your ISP or other source. Reduced performance equates to reduced customer interaction and, ultimately, reduced revenue. Even though availability is the biggest priority, performance and responsiveness cannot be ignored.

In this realm, too, DNS infrastructure providers can offer your business benefits. If you are partnered with a full-service DNS infrastructure provider with resources in the cloud, you can move your DNS servers into your partner’s cloud as needed to take advantage of its managed, redundant, available, and responsive DNS infrastructure. In this way, you can diminish the negative impact of security-related outages or disruptions to your own DNS servers. Because of the speed of propagation times, it is essential that any move of your DNS servers be carefully planned to assure a smooth transition.