A recent blog post from the analysts at GigaOm, “Defeating Distributed Denial of Service Attacks,” states that the key to successful defense is “a scalable platform capable of deflecting an attack led by a million bots with hundreds of gigabits per second of network throughput.” The post also refers to a GigaOm report, which suggests that cloud-structured DDoS mitigation is the ideal way to defend against DDoS attacks. Unfortunately, that advice could be misleading for some organizations because a mitigation defense that is based only on a cloud solution often presents challenges in terms of 1) accuracy and 2) time-to-mitigation.
Scrubbing Centers Lack Visibility and Pose Time Delays to Mitigation
There are two significant challenges for those providers who still rely solely on out-of-band scrubbing centers:
- Attack monitoring for out-of-band scrubbing typically requires the use of NetFlow, which only provides visibility into packet headers and not the payloads, reducing the accuracy of detecting the latest DDoS vectors.
- Swinging traffic to a scrubbing center causes delays, which means the full impact of the attack is felt for a significant period of time, often measured in minutes, before mitigation commences. For many organizations, every second of Internet uptime is critical, and it takes only a few seconds for cybercriminals to inflict damage via a DDoS attack; that’s why time to mitigation matters so much. Mitigation must be automatic, surgically accurate, and instantaneous, with sub-second response time.
Although we appreciate and respect GigaOm’s expertise, it is important for their readers to know that not all organizations regularly experience volumetric DDoS attacks. It is true that any organization could be subjected to a variety of DDoS attacks, and the average attack size has been increasing, likely due to the affordability of 100G connectivity. However, Corero research has consistently found that the vast majority of DDoS attacks (98%) are not particularly high volume. Most attacks are small (under 10 Gbps), and of short duration (under 10 minutes). So, organizations should carefully consider their risk profile and budget before deciding to scale with a cloud solution.
Internet Service Providers Must Prepare To Defend Against All Types of Attack
Some organizations — such as internet service providers and hosting providers — are more likely than others to be targeted by high-volume attacks. ISPs are attractive targets for cybercriminals because they serve as a gateway to the Internet for many other organizations, which means that a successful attack on the ISP can cause collateral damage to many of their downstream customers, resulting in service degradation, increased latency, or complete disruption. Such organizations should not be relying upon on-demand cloud scrubbing services, as these typically introduce delays measured in minutes, or even tens of minutes, between an attack first being detected and the mitigation actually activating. They should also not rely upon manual approaches to DDoS protection, as even the most experienced security analysts cannot possibly observe, catch, or keep up with the multiple dynamic DDoS vectors used in many of today’s attacks.
Because scrubbing centers are, by definition, only a fraction of a provider’s edge capacity (typically around 10-20%), the increasing size of the average attacks means that scrubbing capacity is more often exceeded, especially when there are simultaneous attacks on multiple customers of that provider. When attacks do exceed the available scrubbing capacity, ISPs are left with no choice but to blackhole all traffic to the customer(s) under attack, which means those customers are offline, completely. In such cases, the cybercriminals have won the battle, by successfully knocking their target offline.
Hybrid Cloud Solution Offers Best of Both Options
For organizations such as ISPs and hosting providers, which do have plenty of reasons to be concerned about all types of attacks (high-volume, and short, sub-saturating), a hybrid approach is ideal. To ensure protection at all levels, consider combining an on-premises appliance-based solution to effectively mitigate small, sub-saturating attacks, and a backup cloud solution to handle large volumetric attacks.
Whichever approach is taken, one thing is sure, DDoS protection is an increasingly easy to deliver, high-value, revenue generating service which many end-user organizations are now looking for from their providers.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall ONE DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.