Teams working in a network operations center (NOC) or security operations center (SOC) juggle many tasks, making it a significant challenge to constantly monitor for Distributed Denial of Service (DDoS) attack traffic. Commonly, security teams may resort to manually blocking some specific IP addresses, or rate-limiting traffic after it reaches a certain threshold, when the volume of traffic looks suspicious. While doing so, they must be wary of “false positives,” in which legitimate network traffic is mistakenly blocked as if it were bad (DDoS) traffic.
Null Routing Takes Victims Offline
When “bad” traffic is detected, some service providers choose to block those packets by injecting a null route with the IP address of the DDoS victim into their routing infrastructure; commonly referred to as blackholing. The problem with this approach is that it not only blocks the bad DDoS traffic, but it also blocks all the good traffic to that destination, so it actually completes the DDoS attack against the victim, making their website, applications, or services unavailable to customers. It’s just not an effective or acceptable method of defense; basically, it functions as a giant false-positive that continues as long as the null route is in place. A common solution is to swing the bad traffic via a DDoS scrubbing center. However, this process increases time to mitigation and consumes valuable staff resources.
False Positives Affect Service Level Agreements
Because Internet Service Providers and Hosting Providers are the gatekeepers for Internet connectivity for many organizations, false positives can dramatically disrupt the online experience for their many end-users. The better their DDoS protection, the less they have to worry about penalties for not meeting their SLA agreements. When a customer complains to their service provider that the amount of service downtime exceeds the SLA for service availability, the service provider loses money and its brand name suffers.
How to Avoid False Positives
Problems caused by false positives are exceedingly common in organizations that use DDoS mitigation systems or services. Simpler solutions, that rely heavily on basic traffic thresholds, all too frequently block legitimate incoming packets, as well as the DDoS traffic. The most sophisticated DDoS mitigation systems avoid this by automatically inspecting every inbound packet’s header and its payload data, enabling them to surgically remove the DDoS packets without disrupting the delivery of legitimate network traffic. It is crucial to have granular visibility into attacks, before, during and after the attacks, so analysts can know when and how an attack is happening, and follow the mitigation process.
Unfortunately, the short duration of modern DDoS attacks means the presence of false positives is often not confirmed until forensic analysis is completed, post incident.” Hindsight is 20/20. The best approach, is to choose a solution that avoids generating them in the first place.
Corero Network Security is a global leader in real-time, high-performance, automatic DDoS defense solutions. Corero’s industry leading SmartWall and SecureWatch technology protects on-premise, cloud, virtual and hybrid environments with a scalable solution that delivers a more cost-effective economic model than ever before.For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.