In today’s always-on, Internet first, world businesses depend upon network reliability and security, so when it comes to choosing your Internet Service Provider (ISP), it pays to ask the right questions. Given the increase in distributed denial of service (DDoS) attacks, one can no longer assume that that your Internet service will provide the reliable, always-on DDoS protection that is needed to defend against sophisticated, multi-vector attacks.
First, let’s discuss reliability. Depending on your business any downtime, even seconds, let alone minutes, can be detrimental to your bottom line and your reputation. Second, let’s clarify the matter of “clean pipe”. Lately, “clean pipe” has become increasingly important, because DDoS attacks are becoming smaller and harder to detect, often escaping detection from traditional DDoS mitigation solutions. Even though such attacks may not cripple your network, they can still take down vital business and customer-facing services that can have far-reaching and long-lasting impacts on your organization.
Therefore, before you lock your business into any ISP contract, you’d be smart to ask the following questions:
1. Can you help protect my enterprise data?
The short answer is no; ISPs are not responsible for preventing or mitigating enterprise data breaches. And, Net-neutrality laws, mean that Internet carriers are actually obliged to treat all packets the same, directing traffic from one destination to another, without passing judgment on the content. However, as discussed above, real-time DDoS protection has now become a critical element of network security. As ISPs already observe traffic flowing into their network, for reasons of capacity planning and load-balancing, this puts them in the perfect position to block the junk traffic from DDoS attacks.
2. How do you effectively block DDoS traffic?
DDoS mitigation hardware and software has evolved in recent years, but not all solutions are equal. Legacy solutions tend to rely heavily on human intervention to deal with an attack in progress and typically require diverting traffic to an out-of-band scrubbing service. Traditional solutions can be costly and result in significant down-time. Ask your ISP if they have a dedicated, always-on, real-time, automated DDoS mitigation solution protecting their peering and transit points that will block all DDoS traffic from entering their network.
3. What happens when other customers are hit by a DDoS attack?
When cybercriminals launch a DDoS attack against one ISP customer, it can have damaging effects for other downstream customers, that were not directly targeted. That is, if an ISP does not have adequate DDoS protection, a large-scale attack against one customer will almost certainly affect others who co-reside or are reliant on the same infrastructure that is transporting the attack. Therefore, it’s critical for ISPs to accurately detect and block all DDoS attack traffic with an always-on, automatic, real-time solution.
4. Can you provide visibility and analysis of DDoS attacks targeting my business?
DDoS event reporting and analytics are available that can provide ISPs with complete visibility across their networks, to quantify and analyze DDoS attacks; some ISPs can also offer traffic capture as a service to their clients. Ask about the availability of a tenant portal which enables you to quantify, analyze and report on DDoS attacks you have been targeted by.
5. Do you offer DDoS protection as a service?
To stay competitive, ISPs are increasingly offering DDoS protection as a service. Some include it as a standard part of their offering, others charge additional fees for such protection. It can certainly be more cost-effective to get DDoS protection from your ISP, than doing it in-house, as they are able to distribute the purchase and operating costs across their customer base.
