Network links are typically classified as “saturated” when traffic occupies more than 95% of the available bandwidth/capacity. When this saturation is caused by a Distributed Denial of Service (DDoS) attack; that’s known as a “full pipe” scenario. For Internet Service Providers and Hosting Providers, that situation not only congests their own network, but impacts their downstream customers as well. How often do such network saturation events occur? The good news is, not too often, relatively speaking. The bad news is, organizations still have plenty of reasons to worry about DDoS attacks, whether they are large and cause saturation or, more commonly, relatively small in volume, but often just as damaging.
Research shows that less than 1% of DDoS attacks result in link saturation, and the vast majority last less than 10 minutes, so one may be forgiven for thinking that DDoS attacks aren’t a big problem. However, it takes only one significant DDoS induced event to impact a provider’s reputation; what business can afford that risk? And, one must consider that ISPs and hosting providers are much more frequently impacted by DDoS attacks, due to the large number of individual businesses they serve, so are more likely to experience a full-pipe scenario.
On the flip side, sub-saturating attacks are extremely common, and can still be very damaging, for a few reasons. First, they can degrade the performance of network devices and servers, which makes it difficult for providers to meet their service level agreements (many SLAs guarantee at least 99.9% uptime). Second, businesses of all types are now expecting to have near-zero downtime; some industries are more sensitive than others, of course, such as financial services (think trading and online banking), and online gaming; neither can afford even minor outages or service latency. Last, but not least, sub-saturating DDoS attacks have been shown to occur around the same time as data breaches, presumably in an attempt to distract IT security staff from the real purpose of the criminal activity, which can be just as — if not more — costly to an organization.
Those are three good reasons for every organization to be concerned about DDoS attacks. And, in general, organizations have three options for DDoS defense: a completely on-premises solution, a cloud-based mitigation service, or a hybrid combination of on-premise with cloud scrubbing for attacks that exceed link capacity. There are advantages and disadvantages of each defense method; each organization must choose the correct solution according to its needs, risks, and budget. However, one must bear in mind that on-demand cloud-based DDoS scrubbing services are slow to engage and cannot successfully protect from the impact of the frequent, short duration attacks that are now being seen on a daily basis. The critical factor to consider here, is time-to-mitigation. For the most effective defense, detection and protection should happen in seconds, not minutes.