Module 9
Firewall Categories: Hardware vs Software Firewall
- Purpose-built hardware provides efficient and flexible connectivity options - Software-based firewalls can be installed almost anywhere Hardware firewalls allow you to protect your entire network from the outside world with a single physical device. A software firewall is installed on an individual computer and it protects that single device. If multiple computers need protection, the software must be installed on each device. Whether or not your firewall is its own standalone device or runs as an application.
Security Technologies: Access Technologies 1. 2. 3. 4.
1. Access Control List (ACL) 2. Virtual Private Network (VPN) 3. Network Access Control (NAC) 4. Data Loss Prevention (DLP)
In addition to security appliances are general security technologies that can provide a defense. Some of these security technologies can be found in both standard networking devices (such as switches and routers) and specialized security appliances. The categories of these security technologies are: 1. 2. 3.
1. Access Technologies 2. Monitoring and Managing Technologies 3. Design Technologies
Two goals when using a honeypot.
1. Deflect - Deflect from legitimate servers by wasting their time(distracting them) on the honeypot (decoy server). 2. Discover - A honeypot can trick threat actors into revealing their attack techniques. Security experts can then determine if actual production systems could thwart an attack.
While it is worthwhile to take advantage of the security features of standard networking devices, several security appliances can be dedicated to protecting a network. These appliances include: 1. 2. 3. 4. 5.
1. Firewalls 2. Proxy Servers 3. Deception Instruments 4. Intrusion Detection and Prevention Systems 5. Network Hardware Security Modules && these appliances must be properly configured.
IDS systems can be managed in different ways: 1. 2.
1. In-band management - is through the network itself by using network protocols and tools. 2. Out-of-band management - is using an independent and dedicated channel to reach the device.
Different types of honeypots. 1. 2.
1. Low-interaction Honeypot - may only contain a login prompt. This type of honeypot only records login attempts and provides information on the threat actor's IP address of origin. 2. High-interaction Honeypot - designed for capturing much more information from the threat actor. Usually configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations or real data files (honeyfiles), and fake telemetry.
In regard to DLP, when it comes to data only used for testing purposes, such as determining if a new app functions properly, 1.__________ may be used. Data 1.________ involves creating a copy of the original data but obfuscating any sensitive elements such as a user's name or Social Security Number. By replacing it with fictious information testing can still be carried out. Simillar to 1. _______, 2.___________ obfuscates sensitive data elements, such as an account number, into a random string of characters (token).
1. Masking 2. Tokenization
IDS and IPS can be applied to networks as well as hosts (endpoints). These network-based systems include the following: 1. 2.
1. Network Intrusion Detection Systems 2. Network Intrusion Prevention Systems
Technologies for Monitoring and Managing include: 1. 2. 3. 4. 5.
1. Port Security 2. Packet Capture and Analysis 3. Monitoring Services 4. File Integrity Monitors 5. Quality of Service
Two common Virtual Private Networks (VPNs) 1. 2.
1. Remote Access VPN - is a user-to-LAN connection for remote users. Implementation that allows users to gain secure access to the organization 's network resources. location to which the user is connecting has a VPN gateway, and users have software on their PC's that allow them to create secure connections 2. Site-to-site VPN - in which multiple sites can connect to other sites over the Internet. A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.
Configuration Management: It is important that these security appliances be properly configured. Especially because they give a sense of security. If misconfigured you would have a false-sense of security. Basic configuration management tools include: 1. 2. 3. 4.
1. Secure Baseline Configuration 2. Standard Naming Conventions 3. Defined Internet Protocol Schema 4. Diagrams
Firewall Categories 1. 2. 3. 4.
1. Stateful vs. Stateless 2. Open source vs. Proprietary 3. Hardware vs. Software 4. Host vs. Appliance vs. Virtual
Specialized Firewall Appliances 1. 2. 3. 4.
1. Web Application Firewall (WAF) 2. Network Address Translation Gateway 3. Next Generation Firewall (NGFW) 4. Unified Threat Management (UTM)
Firewall Categories: Host vs. Appliance vs. Virtual
A Host-Based Firewall is a software firewall that runs on and protects a single endpoint device (a host). All modern operating systems include a host-based firewall. These firewalls tend to be application-centric: users can create an opening in the firewall for each specific application. An Appliance Firewall is typically a separate hardware device designed to protect an entire network. A Virtual Firewall is one that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible.
The difference between A Router ACL and a Networking ACL
A Router Access Control List (ACL) is a set of rules that are used to filter inbound or outbound packets on a selected network interface 1. On the other hand, a Networking Access Control List (ACL) is made up of rules that either allow or deny access to a computer environment 2. Networking ACLs manage access to a network by providing instructions to switches and routers as to the kinds of traffic that are allowed to interface with the network 2. So, while both Router ACLs and Networking ACLs are used to control access, they operate at different levels and serve different purposes. Router ACLs operate at the level of an individual router, while Networking ACLs operate at the level of the entire network.
Passive IDS/IPS
A _______ system is connected to a port on a switch, which receives a copy of network traffic.
Security Appliances: Forward Proxy
A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
Security Appliances: Reverse Proxy
A computer or an application program that routes incoming requests to the correct server. To the outside user, the IP address of the reverse proxy is the final IP address for requesting services; however only the reverse proxy can access the internal servers.
Switching Loop
A condition that occurs when switches are connected in such a way that frames can be forwarded endlessly from switch to switch in an infinite loop.
Security Appliances: Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc. Removable external cryptographic device. For endpoints, typically a USB device, an expansion card, or a device that connects directly to a computer through a port.
Specialized Firewall Appliances: Unified Threat Management (UTM)
A device that combines several security functions. These include packet filtering, antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering.
Specialized Firewall Appliances: Web Application Firewall (WAF)
A firewall specifically designed to protect a web application, such as a web server. A WAF inspects the contents of traffic to a web server and can detect malicious content, such as code used in a cross-scripting attack, and block it. A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level. An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.
Stateful Packet Filtering
A firewall technology that keeps a record of the state of a connection between an internal computer and an external server and then makes decisions based on the connection as well as the rule base.
Firewall Categories: Stateless Packet Filtering
A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.
Specialized Firewall Appliances: Next Generation Firewall (NGFW)
A hardware- or software-based network security system that is able to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents. Uses Deep Packet Inspection thus examining payloads of packets. Can also perform URL filtering and intrusion prevention services.
Always-on VPN
A method of VPN where the user can always access the connection without the need to periodically disconnect and reconnect. It often uses SSL/TLS for encrypted connections instead of PPTP or L2TP.
Behavioral Monitoring
A monitoring technique used by an intrusion detection system (IDS) that uses the normal processes and actions as the standard and compares actions against it. One advantage of this monitoring technique is that it is not necessary to update signature files or compile a baseline of statistical behavior before monitoring can take place. In addition, it can more quickly stop new attacks.
Agentless NAC
A network access control (NAC) agent that is not installed on an endpoint device but is embedded within a Microsoft Windows Active Directory domain controller.
Network Segmentation
A network arrangement in which some portions of the network have been separated from the rest of the network in order to protect some resources while granting access to other resources.
DHCP (Dynamic Host Configuration Protocol)
A network service that provides automatic assignment of IP addresses and other TCP /IP configuration information. Uses UDP port 67 on the server side and port 68 on the client side.
Honeynet
A network set up with intentional vulnerabilities. Its purpose is also to invite attacks so that the attacker's methods can be studied; that information can then be used to increase network security. Typically contains one or more honeypots.
Specialized Firewall Appliances: Network Address Translation (NAT)
A process that firewalls use to assign internal Internet protocol addresses on a network. Translates the private IP address to a public address for routing over the Internet. A technique that allows private IP addresses to be used on the public Internet.
Deception Instrument: Honeypots
A seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.
Security Appliances: Intrusion Prevention System (IPS)
A solution that monitors the environment and automatically takes action when it recognizes malicious attempts to gain unauthorized access. A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. Attempts to block the attack.
Security Appliances: Network Hardware Intrusion Module
A special trusted network computer that performs cryptographic operations such as key management, key exchange, onboard random number generation, key storage facility, and accelerated asymmetric and symmetric encryption. Due to the risks associated with a compromised network hardware security module, these are usually built on specialized hardware running a security-focused OS and have limited external access.
Configuration Management: Defined Internet Protocol Schema
A standard guide for assigning IP addresses to devices. This makes it easier to set up and troubleshoot devices and helps to eliminate overlapping or duplicate subnets and IP address device assignments, avoid unnecessary complexity, and not waste IP address space.
Network Access Control (NAC)
A technique that examines the current state of a system or network device before it is allowed to connect to the network. Any device that does not meet a specified set of criteria, such as having the most current antivirus signature or the software firewall installed properly enabled, is denied access to the network, given restricted access to computing resources, or connected to a "quarantine" network where the security deficiencies are corrected, after which the endpoints connected to the normal network. The goal of NAC is to prevent computers with suboptimal security from potentially infecting other computers through the network
Security Appliances: Network Intrusion Detection System (NIDS)
A technology that watches for attacks on the network and reports back to a central device.
Load Balancer Active-Active configuration
All load balancers are always active. Load Balancers work as a team.
Firewall Rules
Allow - Explicitly allows traffic that matches the rule to pass. Bypass - Allows traffic to bypass the firewall. Based on IP, port, traffic direction, and protocol. Deny - Explicitly blocks all traffic that matches the rule. Force Allow - Forcibly allows traffic that would normally be denied by other rules. Useful for determining if essential network services are able to communicate. Log Only - Traffic is logged but no other action is taken. Bypass rules do not generate log files but Log Only will. Only occurs if the packet is not stopped by a Deny rule or an Allow rule that excludes it.
Virtual LANs (Virtual Local Area Networks)
Allows scattered users to be logically grouped together even though they are physically attached to different switches. This can reduce network traffic and provide a degree of security. If a VLAN members on one switch needs to communicate to members connected to another switch, a special "tagging" protocol must be used, either a proprietary protocol or the vendor-neutral IEEE 802.1Q. These protocols add a field to the packet that "tags" it as belonging to the VLAN.
Inline IDS/IPS
An _______ system is connected directly to the network and monitors the flow of data as it occurs.
Full Tunnel VPN
An encrypted connection used with VPN's in which all of the traffic from the user is encrypted once they connect to the VPN. all traffic goes through the encrypted tunnel while the user is connected to the VPN.
Security Appliances: Network Intrusion Prevention System (NIPS)
An intrusion prevention system that is network based. A technology that monitors network traffic to immediately react to block a malicious attack.
Packet Capture and Analysis
Analyzing packets helps to monitor network performance and reveal cybersecurity incidents Port TAP (test access point) - A device that transmits the send and receive data streams simultaneously on separate dedicated channels so that all data arrives at the monitoring tool in real time. Port Mirroring/Spanning - Used on network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch. IDS. SPAN (Switch port analyzer)- switch specific tool that copies Ethernet frames passing through switch ports and sends these frames out to a specific port.
Sinkholes
Another deception technique. Essentially a "bottomless pit" designed to steer unwanted traffic away from its intended destination to another device, deceiving the threat actor into thinking the attack is successful when the sinkhole is actually providing information about the attack.
Broadcast Storm Prevention
Can be accomplished by loop prevention, which uses IEEE 802.1d standard Spanning-Tree Protocol (STP).
DNS Sinkhole
Changes a normal DNS request to a pre-configured IP address that points to a firewall with a rule of Deny set for all packets so that every packet is dropped with no return information provided to the sender.
Configuration Management: Diagrams
Creating a visual mapping of security appliances can likewise be valuable when new appliances are added or when troubleshooting is required.
Spanning Tree Protocol (STP)
Defined by the IEEE 802.1D standard, it allows a network to have redundant Layer 2 connections, while logical preventing a loop, which could lead to symptoms such as broadcast storms and MAC address table corruption. Uses an algorithm that creates a hierarchical "tree" layout that spans the entire network. It determines all redundant paths that a switch has to communicate, recognizes the best path, and then blocks out all other paths. It does this by sending out Bridge Protocol Data Units.
Intranet
Description A private network that belongs to an organization that can only be accessed by approved internal users Security Benefits Closed to the outside public, thus data is less vulnerable to external threat actors
Extranet
Description A private network that can also be accessed by authorized external customer, vendors, vendors and partners. Security Benefit Can provide enhanced security for outside users compared to a publicly accessible website.
Guest Network
Description A separate open network that anyone can access without prior authorization. Security Benefit Permits access to general network resources like web surfing without using the secure network.
Thwarting attacks through port security: Unauthorized Packet Capturing
Description: Attacker's connect their device to the switch's port. Port Security Defense: Secure the switch in a locked room and close all unused ports on the switch.
Thwarting attacks through port security: MAC Address Spoofing
Description: IF two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address on her device to match the target device's MAC address. Port Security Defense: Configure the switch so that only one port can be assigned per MAC address.
Thwarting attacks through port security: ARP Poisoning
Description: The attacker sends a forged ARP packet to the source device, substituting the attacker's computer MAC address. Port Security Defense: Use an ARP detection appliance.
Thwarting attacks through port security: MAC flooding
Description: An attacker can overflow the switch's address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices. Port Security Defense: Use a switch that can close ports with too many MAC addresses.
DDoS mitigator
Device that can resist a DDoS attack or minimize the impact. Cloud-based - internet provider or reverse proxy service. On-site tools - DDoS filtering in a firewall or IPS. Positioned between you and the internet.
Firewall
In building construction usually a brick, concrete, or masonry wall positioned vertically through all stories of the building. Its purpose is to contain a dire and prevent it from spreading. A computer _________ serves a simlar purpose: it is designed to limit the spread of malware.
Security Appliances: Proxy Servers (proxies)
In general language, for example, a family member who has been granted the power of attorney for a sick relative can make decisions and take actions on behalf of that person as a proxy. In computer networking, ______ are devices that act as substitutes on behalf of the primary device.
Virtual Private Network (VPN)
Is a security technology that enables authorized users to use an unsecured public network, such as the Internet, as if it were a secure private network, not just specific documents or files. It does this by encrypting all data between a remote endpoint and the network.
Anomoly Monitoring
Is designed for statistical anomalies. First a baseline is established and then whenever activity deviates significantly from the baseline, an alarm is raised. Since behavior can change easily and sometimes quickly it is subject to false positives. Since establishing a baseline takes time it can fail to detect anomalous events before the baseline is established.
Telemetry
Is the collection, the automatic measurement of data such as how certain software features are used, application crashes, and general usage statistics and behavior.
Configuration Management: Secure Baseline Configurations
It is the starting point for configuring a device. The baseline configuration can be considered the bare minimum: no configuration should be less than the secure baseline configuration.
The major difference between a NIDS and a NIPS:
It's location is the major difference. A NIDS has sensors that monitor the traffic entering and leaving the firewall, and reports back to the central device for analysis. A NIPS, on the other hand, would be located inline on the firewall itself. This allows the NIPS to act more quickly to block an attack.
Signature-based Monitoring
Looks for well-known attack signature patterns. Requires access to an updated database of signatures along with a means to actively compare and match current behavior against a collection of signatures. One of the weaknesses of it is that the databases must be constantly updated. Also, if the signature definitions are too specific, signature-based monitoring can miss variations. A monitoring technique used by an intrusion detection system (IDS) that examines network traffic to look for well-known patterns and compares the activities against a predefined signature. A monitoring technique used by an IDS that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
Jump box/server/host
Minimally configured administrator server (either physical or virtual) within the DMZ. Running only essential protocols and ports, it connects two dissimilar security zones while providing tightly restricted access between them. An administrator accesses the jump box, which is connected to the administrative interface of the devices within the DMZ.
Data Loss Prevention (DLP)
Monitors the data of a system while in use, in transit, or at rest to detect attempts to steal the data. Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect. A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.
Policy-based Firewall
More flexible type of firewall which allows more generic statements instead of specific rules.
VPN Protocols
Most common are IPSec and SSL or the weaker TLS. LAyer 2 Tunneling Protocol (L2TP) is a VPN protocol that does not offer encryption or protection, so it is usually paired with IPSec (L2TP/IPSec). The current version of HTML, HTML 5, can be used as a "clientless" VPN on an endpoint so that no additional software must be installed. Other popular VPN protocols include OpenVPN, SoftEther, WireGuard, SSTP, and IKEv2/IPSec.
Load Balancer - Active/Passive
Multiple load balancers. The primary load balancer distributes the network traffic to the most suitable server, while the secondary load balancer operates in a "listening mode".
Quality of Service (QoS)
Refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies. Traffic Shaping - Manipulating certain characteristics of packets, data streams, or connections to manage the type and amount of traffic traversing a network or interface at any moment.
Zero Trust Model
Removing the design belief that the network has any trusted space. Security is managed at a protect surface, representing the most granular asset. Micro-segmentation of workloads is a tool of the model. Steps in creating a Zero Trust network architecture: 1. Identify a "protect surface" 2. Determine the entities that interact with the protect surface. 3. Put controls in place as close to the protect surface as possible. "Never Trust; Always Verify"
Load balancing: Scheduling
Round-robin scheduling protocol: the rotation applies to all devices equally. A scheduling protocol that distributes the load based on which devices can handle the load more efficiently is known as Affinity scheduling. Affinity scheduling may ne used based on which load balancers have the least number of connections at a given point in time.
Split Tunnel VPN
Routing only some traffic over the secure VPN while other traffic directly accesses the Internet. Can help preserve bandwidth and reduce the load on the VPN concentrator.
Port Security
Securing the ports on a network device like a switch or router is essential to securing a network. Threat actors who accces a network device through an unprotected port can reconfigure the device to their advantage. This introduces a number of vulnerabilities, one of which is the compromise of route security or the trust of packets sent through a router. False route information can be inserted or altered by weak port security that would enable the insertion of individual false route updates or the installation of bogus routers into the routing infrastructure.
Access Control List (ACL)
Security Technologies: Access Technologies: A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource. Two types of ACLs: 1. Filesystem ACLs: Filter access to files and directories on an endpoint by telling the OS who can access the device and what privileges they are allowed. 2. Networking ACLs: filter access to a network. Network ACLs are often found on routers. On external routers, router ACLs can restrict known vulnerable protocols.
Security Appliances: Intrusion Detection System (IDS)
Software and/or hardware that monitors system and network resources and activities and notifies network security personnel when it detects network traffic that attempts to circumvent the security measures of a networked computer environment. Can detect an attack as it occurs.
Firewall Categories: Open Source vs. Proprietary
Some firewalls are freely available while other firewalls are owned by an entity that has exclusive right to them.
DHCP Snooping
Switch process that monitors DHCP traffic, filtering out DHCP messages from untrusted sources. Typically used to block attacks that use a rogue DHCP server.
File Integrity Monitoring
Technique or technology under which certain files or logs are monitored to detect if they are modified. When critical files or logs are modified, alerts should be sent to appropriate security personnel. PCI DSS has no less than 4 requirements related to integrity monitors.
IEEE 802.1Q
The IEEE-standard VLAN trunking protocol. 802.1Q includes the concept of a native VLAN, for which no VLAN header is added, and a 4-byte VLAN header is inserted after the original frame's Type/Length field.
Demilitarized Zone (DMZ)
The _____ functions as a separate network that rest outside the secure network perimeter: untrusted outside users can access the DMZ but cannot enter the secure network.
Content/URL Filtering Firewall
The firewall can monitor websites accessed through HTTP to create custom filtering profiles. The filtering can be performed by assessing webpages by their content category and then creating whitelists and blacklists of specific URLs.
Split Tunnel VPN vs Full Tunnel VPN
The main difference between a full tunnel VPN and a split tunnel VPN is the level of security and user control. A full tunnel VPN encrypts all your traffic, providing a more secure browsing experience, while split tunneling only encrypts some traffic, giving users more control but posing potential security risks. Full tunnel is the better option if you handle confidential data or are connecting from a network you do not trust, while split tunnel may be necessary if you need to access both local resources and remote resources at the same time.
Load Balancing
The process of distributing data transfer activity evenly so that no single device is overwhelmed. It can be performed either through software running on a computer or as a dedicated hardware device known as a load balancer.
Monitoring Services
These services can provide additional resources to assist an organization in its cybersecurity defenses, such as processing cybersecurity data on managed SIEM platforms and continuously updating and applying rules to detect attacks.
Network Deception
Threat actors can be tricked into thinking what they are attacking is valuable when it is not, or that their attack is successful when it is not. Creating network deception can involve creating and using honeypots and sinkholes.
True or False Acting as the intermediary, a proxy server can provide a degree of protection. First, it can look for malware by intercepting it before it reaches the internal endpoint. Second, a proxy server can hide the IP address of endpoints inside the secure network so that only the proxy server's IP address is used on the open Internet.
True
True or False Often a device that performs services beyond that of a NGFW is called a UTM.
True
True or False While a stateless packet filter firewall might allow a packet to pass through because it met all the necessary criteria (rules), a stateful packet filter would not let the packet pass if that internal endpoint did not first request the information from the external server.
True
True or False Almost three-fourths of employees admit to sending data to the wrong recipient once per month.
True Surprisingly, research has shown that security awareness training has not had an impact on employee mishandling of sensitive data. the percentage of employees who admit to sending misdirected emails is the highest in organizations that provide security training most frequently. These same employees are almost twice as likely to send company data to their personal email accounts.
Rule-based Firewalls
Use a set of individual instructions to control actions; each rule is a separate instruction processed in sequence telling the firewall what action to take; rules are stored together in one or more text file(s) that are read when the firewall starts; rule-based systems are static in nature, cannot do anything other than what they have been configured to do.
Heuristic Monitoring (Dynamic Analysis)
Uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches. Does not try to compare actions against previously determined standards (like anomaly-based monitoring and signature-based monitoring) or behavior (like behavior-based monitoring). Instead, it is founded on experience-based techniques. It attempts to answer the question, Will this do something harmful if it is allowed to execute? From the Greek word for discover or find. Instead of using an virtual environment in which to test a threat, IDS ____________ monitoring uses an algorithm to determine if a threat exists. It can trap an application that attempts to scan ports that the other methods might not catch.
Configuration Management: Standard Naming Conventions
Using the same conventions for assigning names to appliances. Example: Limited to 15 characters. Only letters and numbers. Minimum structure: 1st three characters are the appropriate identifier; next six are the device's inventory control tag number; the remaining six may be used at the discretion of the dept, or not at all.
The servers behind load balancers are often given a ______________ address. As it's name suggests, this is not an actual IP address. Instead, it is an IP address and a specific port number that can be used to reference physical servers.
Virtual IP (VIP)
Broadcast Storm
When there is an accumulation of broadcast and multicast packet traffic on the LAN coming from one or more network interfaces. Can cripple a network.
What kind of firewall is Windows Defender?
Windows Defender is a host-based firewall.
Mitigating DDoS attacks
• May be able to filter out traffic patterns • Stop the traffic at your firewall • Internet service provider may have anti-DDoS systems • These can help "turn down" the DDoS volume • Third-party technologies • CloudFlare, etc. DNS Sinkholes are commonly used to counteract DDoS attacks to redirect away traffic away from the attackers Command and Control (C&C) server.
