During a recent info-security event I had some great discussions about cyberwar, the impact of DDoS attacks and, consequently, the key criteria for implementing protection from these attacks.
For those of you searching for DDoS protection, here are things to consider when choosing a solution:
1. Verify the experience of the vendor.
Many companies nowadays talk about DDoS protection and it is difficult to find truth in all those similar buzzwords. You need to ask your vendor if their technology is market proven. Who else is using the solution?
A good question: “Is this solution being used by cloud MSSPs that provide anti-DDoS services?” Industry leading MSSPs that provide anti-DDoS services are some of the most demanding customers when it comes to DDoS protection services. They understand the nature of different attacks, the various mitigation technologies and the expectations of their customers. Asking for MSSP references is a wise move.
2. Learn their speed of detection & mitigation.
An ideal DDoS mitigation solution detects and blocks attacks at the perimeter of the victim organization’s data center – before the attack can impact IT infrastructure. Such a defense configuration allows for real-time protection. Solutions that are purely cloud-based – and have no detectors in the organizations data center – do not protect against an attack until attack traffic is manually redirected by an Internet Service Provider to flow through an MSSP for scrubbing. This process can take minutes or hours, is complicated to manage, and effectively leaves an organization and its customers exposed to a DDoS attack until the attack can be redirected for scrubbing.
3. How do they (or can they) distinguish between legitimate users and attackers?
Unlike other cyber security threats, a DDoS attack is composed of many legitimate requests. Only the large volumes of simultaneous requests actually constitute an attack. Since every request in a DDoS attack looks legitimate, the biggest challenge for anti-DDoS mitigation is to distinguish between attacker requests and legitimate user requests. Standard anti-DDoS solutions design their mitigation strategy on rate limit methodologies that are triggered once the traffic crosses a pre-defined threshold. This approach can result in relatively high false-positives and blocks legitimate users from accessing the services.
Advanced anti-DDoS solutions deploy more sophisticated attack mitigation technologies such as behavioral analysis that compares the current traffic to normal baselines and makes intelligent decisions regarding the attack mitigation. In addition, there are mechanisms that challenge suspicious sources and based on the response from the source, it can be determined if the source is a Bot or a legitimate user.
There are many additional important questions to ask when making the choice about who will protect you and your customers. From attack coverage to attack types (SSL-based DDoS attacks, low & slow DDoS attacks) to Internet pipe saturation, I invite you to read this whitepaper on DDoS Selection Criteria and gain more information about the right questions when selecting an anti-DDoS vendor.