A very common cyber-security question asks – if DNSSEC will stop a distributed denial of service (DDOS) attack. The signing of domain DNS data sources – will not stop a DDOS attack! There are however providers, who will provide intrusion detection services and the facilities to mitigate the risks associated with a distributed denial of service attack. These are of course premium priced but represent good value for some.
However, for the many – the key to managing the risks is detecting the DDOS attack as early as possible and triggering packet filters to drop the data packets. We did this with a piece of open source software named – Snort configured to work with our Pfsense firewall – effectively detecting the bad data packets and dynamically reconfiguring the firewall, to drop the packets.
Snort is open source software and the PFsense community firewall installed on a virtual machine worked for us. PFsense+ on a netgate appliance should be equally as effective. The research we used is at the project link below:
Project – Managing a DDOS attack using Snort and PFSense
This is not a commercial offering – or a recommendation. This is simply the sharing of a solution which we believe mitigated a number of DDOS attacks in the context of our system configuration at that time.