Corero
Blog & News

Why Your DDoS Defenses May Be Outdated

Organizations are increasingly finding that their DDoS mitigation tools,  that once worked sufficiently to block Distributed Denial of Service (DDoS) attacks, are now unable to effectively defend against the growing variety and sophistication of the attacks that exist today. You may have invested serious time and money into software, hardware, and training only a few years ago, only to find that your organization is still suffering from the damaging impact of DDoS attacks. The fact is, not all DDoS defenses are equal, and most do not stand up well to the test of time. In such cases, it may be necessary to replace a legacy system, or at least augment it with an additional layer of DDoS protection.

Weaknesses of Legacy DDoS Solutions

There are several reasons why legacy DDoS mitigation systems may fail to fully protect a network or website. First, many legacy DDoS solutions rely heavily on human intervention from security analysts to deal with DDoS traffic. This results in responses to attacks that are slow and often result in the need to redirect the bad traffic out to a scrubbing center. But that approach can take anywhere from minutes to tens of minutes, during which time attackers can do a lot of damage; with attacks blocking access to applications or degrading network performance. Re-routing customer traffic across the Internet to third-party scrubbing centers creates disruption, adds risk, and it can be very costly.

Another factor is that many legacy DDoS solutions were designed to handle large volumetric attacks, but are not equipped to handle short, sub-saturating attacks. As the vast majority of today’s DDoS attacks are short in duration and low in volume, this makes it nearly impossible for security analysts to detect and mitigate them. DDoS solutions that are not automated and rely solely or partly on human intervention are bound to fail in these attack situations.

Furthermore, many DDoS cybercriminals apply automation tools to create dynamic multi-vector attacks, that quickly change their methods on the fly, making it impossible for security analysts to manually respond quickly enough to mitigate them.

And last, but not least, are “zero-day” attacks, i.e. those never seen in the wild before. Hackers are regularly discovering new attack vectors and sharing them on the Dark Web so DDoS for hire services can leverage them. Unfortunately, most DDoS mitigation solutions are not built to recognize such attacks.

Be Prepared; Ask Key Questions About Your Current or Potential Vendor Solution

Before investing in a new, replacement, or complementary DDoS solution, it’s important to thoroughly vet several vendors, asking key questions to determine whether their solutions align with your business and technical needs, your risk tolerance and, of course, your budget. Below are just a few of the many questions you should ask a DDoS mitigation vendor when seeking the right solution for your organization:

  • Can the vendor offer “Always-On” real-time mitigation?
  • Can the vendor mitigate, in under a second, for known and unknown attack types?
  • What is the operational time to deploy the real-time offering?
  • Can the vendor offer a hybrid DDoS mitigation architecture?
  • Can the vendor deliver detailed real-time and historical attack analytics?
  • Can the vendor offer a managed DDoS service?
  •  Does the vendor protect volumetric and state-exhaustion DDoS attacks at Layers 3, 4 and 7?

It is also useful to know that many cloud DDoS protection services may advertise “always-on” however, that often means just always-routed through their cloud, it does not necessarily mean you are always-protected, resulting in additional delays for time-to-mitigation that may still result in damaging downtime when an attack hits. For the best of both worlds, consider investing in a hybrid solution, that combines your existing Cloud-based DDoS protection with on-premises DDoS detection and mitigation. Hybrid solutions can handle the vast majority of attacks locally, in real-time, without requiring your traffic to be redirected to the cloud.

For most organizations it is not a question of if, but rather when they will be targeted by a DDoS attack. And, Corero research has shown that many organizations experience frequent, repeated DDoS attacks.  Thus, a DDoS solution that is only partially effective leaves your organization at serious risk. Even if your organization is not currently planning to upgrade its DDoS defense system, or to invest in DDoS protection for the first time, it is worth assessing what you have or what you need from a vendor to protect your business. To make sure you ask the right questions, download Corero’s self-assessment questionnaire at https://go.corero.com/online-ddos-assessment.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here.  If you’d like to learn more, please contact us.