Understanding Link Saturation Due to DDoS Attacks


In corporate networks, links are often classified as “saturated” when traffic occupies more than 95% of the available bandwidth/capacity.  When this saturation is caused by a Distributed Denial of Service (DDoS) attack; that’s a “full pipe” scenario. For Internet Service Providers and Hosting Providers, that situation not only congests their own network, but usually impacts their downstream customers as well. How often do such network saturation events occur? The good news is, not too often, relatively speaking. The bad news is, organizations still have plenty of reasons to worry about DDoS attacks, whether they are large and cause saturation or, more commonly, relatively small in volume, but often just as damaging.

Corero’s 2019 DDoS Trends research report is based on the analysis of hundreds of thousands of attacks during 2019; it shows that less than 0.6% of the attacks resulted in one or more network links being saturated. Another way of putting this: 99.4% of attacks did not reach the 95% link saturation level. Furthermore, of those 0.6% of attacks that did cause a link to reach saturation, the vast majority (>95%) of those attacks lasted less than 10 minutes.

Given that less than 1% of DDoS attacks resulted in link saturation, and the vast majority of those saturation attacks lasted less than 10 minutes, one may be forgiven for thinking that DDoS attacks aren’t a big problem. However, it takes only one significant DDoS induced event to ruin a provider’s brand reputation; no business can afford that risk. And, one must consider that ISPs and hosting providers, when compared to other businesses, are much more frequently impacted by DDoS attacks, so they are more likely to experience a full-pipe attack.

On the flip side, sub-saturating attacks are extremely common, and can still be very damaging, for a few reasons. First, they can degrade the performance of network devices, which makes it difficult for providers to meet their uptime customer service level agreements (many SLAs guarantee at least 99.9% uptime). Second, businesses of all types are now expecting to have near-zero downtime; some industries are more sensitive than others, of course, such as financial services (think trading and online banking), and online gaming; neither can afford minor outages or service latency. Last, but not least, sub-saturating DDoS attacks have been shown to occur around the same time as data breaches, presumably in an attempt to distract IT security staff from the real purpose of the criminal activity, which can be just as — if not more — costly to an organization.

Those are three good reasons for every organization to be concerned about DDoS attacks. And, in general, organizations have three options for DDoS defense: a completely on-premises solution, a cloud-based mitigation service, or a hybrid combination of on-premise with cloud scrubbing for attacks that exceed link capacity. There are advantages and disadvantages of each defense method; each organization must choose the correct solution according to its needs, risks, and budget. However, one must bear in mind that on-demand cloud-based DDoS scrubbing alternatives cannot achieve successful mitigation of the frequent, short duration attacks that are now impacting organizations every day. The critical factor to consider here, is time-to-mitigation. For the most effective protection, detection and mitigation should happen in seconds, not minutes.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.