Traffic differentiation is an important part of what anti-DDoS firms can offer. To determine whether incoming traffic is malicious, enterprises must differentiate between solicited and unsolicited traffic, IP addresses that are and are not part of the user base, and baseline and anomalous traffic behaviors, according to Larson.
Enterprises must then harden the network edge against such attacks. Due to the varied nature and purpose of different sizes of attacks--smaller attacks may simply cover the tracks of an APT, for example--the enterprise should mitigate all sizes, types, and complexities of attacks.
"Our recommendation is to use hybrid cloud and on-premise DDoS mitigation strategies," said Larson. On premise, use layered security measures including a network edge appliance targeted at DDoS protection that can inspect packets in real-time.
The secondary element of protection is a tightly-coupled signal between the on-premise edge appliance and the cloud DDoS protection provider, said Larson. "In cases where an attack is larger than your available bandwidth and will stop all your traffic, you need to reroute traffic through the cloud-based scrubbing element in real-time."
Investigate your options
Where on premise DDoS tools or NSP resources are not enough to combat the massive new DDoS attacks, there are a number of DDoS protection firms that specialize in this area, each with unique approaches. Examine and compare them all before making a selection.
Sign up for CIO Asia eNewsletters.