“I just want to know that I’m safe from these 100Gbps plus attacks.”
These are the words heard (or at least the sentiment expressed) over and over for those of us helping defend the front lines from Distributed Denial of Service (DDoS) attacks. What may come as a surprise is that for some service providers in the space, this perspective causes more concern than glee. Sure, it is fair to say it’s not all bad to encounter prospects with this level of urgency. But the reality is that statements like this are a sign pointing to a long educational process for the buyer more so than a quick sale and long-term happy customer.
The education process these buyers require has to do with the reality that very large (>50Gbps) DDoS attacks, while headline grabbers, represent a tiny portion of the overall attack landscape. The even more sobering bit of learning for these folks is that the smaller attacks are often just as, if not even more, harmful.
Unfortunately, the education process faces an uphill battle against a seemingly endless array of news and reports perpetuating an over-emphasis on defending against only the mega attacks. For those already educated on the reality of attacks, a fact not lost is that much of this information comes specifically from vendors with a vested interest in distracting buyers from the scope (or lack) of attack vectors they can effectively detect and then mitigate.
What’s in Your Detection Engine?
Buyers of DDoS protection services can be forgiven for what might be a less than stringent evaluation process at times. DDoS attacks are increasingly complex across a number of factors… vectors, motives, sources, successful defenses, to name just a few. Thorough testing of potential technologies to detect and mitigate attacks requires vigilance, time and resources. Keeping up with the nature of attacks in a way that empowers buyers to explore options with deep knowledge further challenges the process. Add to that the fact that often (too often, in my opinion) the whole process takes place under some level of duress (already under attack, received a threat, peers being targeted, etc.) and the potential for large leaps of faith on the part of buyers jumps.
Bottom line… buyers who are serious about protecting their organizations need to at a minimum ask detailed questions of vendors about the attack coverage being offered.
Can you Detect Non-HTTP Vectors?
A growing number of organizations think they’ve already got the DDoS protection they need because they opted to “bundle” DDoS protection in with CDN or other traffic optimization services. The common (but flawed) logic here is a buyer thinking “well, my CDN has a ton of bandwidth and is already managing all of my traffic.” While there is a myriad of reasons why CDNs often struggle to provide even HTTP vector protection, there is an even more basic flaw in this logic… less than one quarter (23%) of attacks leverage HTTP/HTTPS vectors. CDN-based protections can leave the customer exposed to the growing threat of SMTP, FTP or other network protocols in traffic not touched by the CDN.
Can you Detect SSL Floods Without Affecting Legitimate Traffic?
As much as 25-30% of today’s DDoS attacks use SSL to further mask the attack and extend the amount of computing power required to provide protection. Many solutions cannot effectively differentiate encrypted attack traffic from encrypted legitimate traffic and can only rate limit these requests (effectively completing the attack). Additionally, many solutions require the customer to share actual server certificates, which complicates implementation, certificate management and forces customers to share private keys for protection in the cloud.
Can you Correlate Across DDoS and Non-DDoS Threats?
It is increasingly common that DDoS attacks occur as part of a combined multi-vector threat that also includes non-DoS tactics, such as application logic attacks targeting assets at Layer 7. These attacks use the distraction caused by large volumetric attacks as a virtual smoke screen that lowers the likelihood of detection for application attacks (SQL injection, XXS, etc.). Very few technologies can support an advanced implementation that detects these attacks and then coordinates blocking the traffic at the perimeter in conjunction with DDoS attack blocking. As cross vector coordination increases, this capability will further separate those with holistic attack protection from those with a point solution for one vector.
Understand the Full Set of Vectors
Today, more than 50% of the attacks Radware sees utilize 5 or more vectors. This means unless you want a 50% solution, you MUST take the time to understand the multi-vector challenge and the questions to ask service providers. Here are a couple of educational resources that can help you in this pursuit:
- Radware’s 2014-15 Global Network and Application Security Report: this report provides a two-pronged view at the current threat landscape. One set of perspectives comes from the network and application security community through an in-depth survey covering current cyber-security threats and initiatives. The second view comes from Radware’s Emergency Response Team, which provides insights based on first-hand experience protecting customers.
- Radware’s DDoS Handbook: updated annually, the handbook provides a deep history behind DDoS attacks, as well as a comprehensive description of the many types of attacks, approaches to protection, and a checklist for evaluating different solutions.
- Cloud vs. On-Premise Security E-Book: This book offers tips on how to strike a balance for optimal protection. Learn about the common risks of cloud-only solutions, the most effective architectures for trending threat vectors, and what benefits you can gain from hybrid attack detection.