The number of organizations sustaining Distributed Denial of Service (DDoS) attacks has increased dramatically over the last two years in part due to hacktivist activities. In addition, the average size of DDoS attacks has increased dramatically through the use of ever larger botnets and new application level attack techniques. On premise DDoS protection solutions may protect the web servers, but they do not protect the communications pipes. Therefore enterprises relying on on-premise solutions must evaluate complementary cloud-based solutions. And those enterprises who already have a cloud-based solution ought to consider a second, back-up cloud solution if their primary vendor’s total bandwidth is limited or it cannot protect against modern application level attacks.
The organizations that have contracted with a cloud-based DDoS protection service have selected one of two major DDoS protection vendors. These vendors were the only companies with the scale and expertise to protect very large organizations from the massive attacks being mounted by political hackivists backed by foreign governments.
The dependence of so many organizations on just two players created a new worry for organizations: Concentration Risk.
Both vendors were able to demonstrate that they could handle simultaneous large attacks on two or three of their customers, but the organizations, their auditors, and their regulators began to worry about the possibility of 10 simultaneous attacks on the customers of one of these vendors. Would the vendor’s network go down and take their customers with them?
With Financial Institutions in the lead, these major organizations have begun looking for a second vendor with the scale and expertise to stand behind their primary vendor and step in should the primary be unable to protect them for any reason. This backup vendor has to have the capacity to handle the load in a situation which may have overwhelmed the primary but also has to charge a fraction of the primary’s monthly fee since it would rarely be called up to step-in.
For a next-generation DDoS protection service to succeed it must provide the following:
- Cloud-based – What good is protecting the web servers with on-premise equipment if the communication pipes are chocked? A cloud-based service is in a position to do both. The service can also be delivered more cost effectively because not all customers will be attacked at once. However, customers must be careful that the vendor does not over subscribe on the customer side or under invest in infrastructure to sustain ever-increasing sized attacks. See the next item.
- 10x Bandwidth per customer – In order to protect against the increased size of modern DDoS attacks and to mitigate concentration risk significantly more bandwidth (10x) must be allocated to each customer.
- Traffic routing flexibility not based on DNS change – Changing the DNS setting is an all or nothing approach. A next generation solution must provide flexibility in choosing how much traffic is re-routed during an attack.
- Look at incoming traffic only – Traditional DDoS mitigation services monitor both incoming and outgoing traffic. Since the DDoS attack is by definition incoming, why add latency for normal outgoing traffic? A next generation DDoS mitigation service therefore should only need to monitor incoming traffic.
- Support multi-layer attacks – Most traditional DDoS mitigation solutions have difficulty with attacks that use multiple concurrent methods. A next generation service must break a multi-layered attack into separate categories and handle each one appropriately.
- Minimize false positives – The difference between good and bad packets can be very small. Therefore DDoS mitigation solutions are subject to false positives. This means that good traffic is erroneously blocked. New algorithms have been developed to better differentiate good packets that are near bad packets, thus minimizing false positives.
- User Interface – The service’s user interface must provide high-level and detailed information both during and after a DDoS attack. In addition to attack size, the UI must show where the attack is coming from, what types of traffic the attack used, and how the attack was mitigated.
If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.