UK’s National Cyber Security Centre Issues Denial of Service (DoS) Guidance

The UK’s National Cyber Security Centre recently issued Guidance to help organizations understand and mitigate against denial of service (DoS) attacks. The guidance is intended to apply to both DDoS and DoS attacks, noting that “An attack becomes a 'distributed denial of service', referred to as “DDoS”, when it comes from multiple computers (or vectors) instead of just one. This is the most common form of DoS attack on websites.” Overall, it is a well-written primer on the nature of DoS attacks; there is plenty of good, basic information in it. However, the guidance is lacking in that it recommends only Content Delivery Network (CDN) and service provider protection, and it focuses on out-scaling the attacks rather than blocking them.

CDNs Are Not Sufficient

Even if you are following the NCSC guidance, a CDN-based service alone may not be enough to protect completely from modern DDoS attacks. Some CDNs include a certain level of DDoS protection, but not all. Yes, a CDN can be helpful for protecting served content and websites from larger attacks, but their speed of reaction, and effectiveness against smaller attacks, is not guaranteed. They are also not at all effective in stopping direct attacks on an organization’s public IP addresses that aren’t using the CDN. You also need to be sure that if a CDN does offer DDoS protection capabilities they are actually included with your service contract.

Service Provider Protection Works Only If…

Internet and Hosting Service Providers don’t always guarantee DoS or DDoS protection. Many providers are not even protecting their own networks, let alone their customers, from DDoS threats. However, increasingly, service providers are now choosing to fortify their networks with scalable and surgical DDoS protection at their transit network edge, and passing along that protection to their customers, either included in their standard fees, or as a value-added service, for an affordable additional fee.

Out-Scaling the Attacks Is Less Effective, More Expensive

The guidance document does note, however, that scaling has some disadvantages, including that it can be expensive. We would add that over-provisioning can have little impact on protecting against the largest DDoS attacks, and no effect at all on stopping the smaller, sub-saturating attacks. Furthermore, the UK guidance does also advise readers to “Understand the level of capacity that your service provider has. Even though cloud services can appear to have infinite capacity, they don't. Additionally, you may be limited as to how many instances you are allowed to start on the cloud platform. This can often be increased, but requires submitting manual requests.”

The ideal DDoS protection solution is automated and can detect and mitigate DDoS attacks of all types and sizes, 24×7, within seconds – not minutes or hours – to ensure you don’t suffer any ill-effects. Corero’s SmartWall, for example, can immediately detect DDoS packets flows, as soon as the first malicious packets start traversing the network, automatically formulating mitigation filtering rules to drop packets locally, or reconfiguring remote routers with these rules, on the fly, without any intervention from security analysts or network operators.

For over a decade, Corero has been a leader in real-time, high-performance, automated DDoS defense solutions for enterprise, hosting and service provider customers around the world. Our award-winning SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments, with comprehensive visibility, analytics and reporting. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.