Five ways to defend against a DDoS attack

3. Hide behind giants

The development of cloud computing platforms has introduced a variety of new options to provide resilience against a DDoS attack.

Some companies have migrated part of their infrastructure to distributed computing platforms such as content delivery networks Limelight or Akamai.

"Those are cheaper than buying more bandwidth, but it's [still] not cheap," said Nazario.

For those without deep pockets - such as small business and even government agencies - one strategy to beat DDoS has been to rely on the larger infrastructure sets of social network giants such as Google or Facebook.

These sites enable an organisation to continue to communicate with the world, at the cost of functionality and control.

"We have seen people do it on the cheap for themselves - such as a Georgian blogger that was moving stuff into Facebook and Google... basically piggy-backing on those providers' massive infrastructure to absorb the hit," said Nazario.

Desperate times called for a commensurate response by the Georgian Government, which turned to Google's Blogger service to maintain outbound communications with Western nations while under a Russian cyber attack during their 2008 war.

But even the infrastructure of Google or Facebook - whilst larger and more sophisticated - isn't immune to attack.

"It hasthe potential for collateral damage because now people are attacking large infrastructure and if there is a significant attack it will disrupt a lot of people around the world," warns Nazario.

4. The reverse proxy

Australian web host Bulletproof Networks recently deployed a similar albeit more sophisticated cloud-based response by hiving off attack traffic to Amazon's EC2 cloud.

Responding to a sustained DDoS attack aimed at broadband forum Whirlpool, Bulletproof had attempted to mitigate the attack by blocking individual IP addresses.

The web host had asked its upstream providers Internode and Pacific Internet to block incoming HTTP traffic from several IP addresses in the United States and Denmark, but within minutes the attack source shifted.

Nazario argues that the process of identifying individual sources is too labour-intensive.

"You need a highly trained human being to go over logs and packet traces to identify those malicious clients. It can take an hour or two or 24 hours, depending," he said.

Within a few days, Bulletproof found a better solution. It deployed a "reverse proxy" server in Amazon's EC2 cloud which it used to bear the load of malicious HTTP traffic.

Amazon's EC2 served up cached elements of Whirlpool, while legitimate traffic was served non-cached pages from Bulletproof's Australian-hosted web servers.

5. Choose your neighbours carefully

Given the recent attack on AFACT, businesses might wonder whether it is possible to avoid fallout by refusing to share hosting infrastructure with a likely target.

That is assuming, of course, that a host would even tell you what other organisations share the same platform.

Bloch said it would not make sense from the host's perspective.

"It is impossible for a sales person or automatic web sign-up tool to do a risk assessment on every customer request," he said.

"Your question could just as well be: Are you in a shared box with someone with a successful marketing campaign?

"Every now and then somebody sets up a mini-site on a $10 a month hosting account, spends a million on television advertising and expects to cope with the demand on a shared service hosted on a single box."

Conclusion: Weighing up the cost

IBRS analyst James Turner said that often the right questions are not asked in advance because the risk of a DDoS attack appears low while the cost of mitigation is high.

"For some organisations, it just won't be worth the cost of mitigating," he said. "But for others, it would be a crippling incident.

"This is classic risk analysis. If you are offline for an hour, how much money are you not making, or losing?"

As revealed in a recent iTnews poll [see right] - four in five readers feel there is no excuse for data breaches during a DDoS attack. This assumes that organisations have adequate defences in place.

In percentage terms, it remains highly unlikely that a legitimate business will be attacked, with the bulk of attacks launched against home users and small sites after disputes in online games or forums.

But should an organisation find itself a target, "proportionally it's much more expensive to defend against a botnet attack than it is to execute one," Turner said. "It's inexpensive to set up a botnet, and an attacker can wreak a lot of damage.

"For organisations that are at risk of a botnet attack - potentially any online service from government to e-commerce - they need to understand the impact on their organisation of their customers losing access to their website."

Brett Winterford contributed to this story.