DDoS protection pricing is all over the map, and can get fairly complex. However, there are a few key questions to ask in order to make sure you’re not paying too much.
As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation services to protect themselves against attack. DDoS protection vendors range in all shapes and sizes, from dedicated DDoS mitigation providers to CDN vendors who add website DDoS protection, to ISPs who resell DDoS protection as an add-on. As a result, the quality and cost of such service can vary wildly, and many customers end up purchasing protection packages that are either inadequate, or too big for their needs, resulting in unnecessary costs.
Here are five questions to ask your DDoS mitigation vendor to make sure that you’re getting the protection that you need, without overpaying:
1. How much traffic do you really need?
This is the biggest pitfall – and arguably the biggest reason for overpaying – is buying protection packages that are too large.
DDoS protection packages are usually sold in price tiers according to traffic volume. The traffic volume you purchase should correspond the volume of legitimate traffic that your website handles on a normal basis.
If you’re not sure about how much traffic you need, you can find out by looking at traffic statistics on your routers or your web servers, and see how much traffic you see on a regular basis.
2. Are you paying for bad traffic?
Once you’ve determined how much traffic you need, find out what type of traffic you’re paying for. When you are under a DDoS attack, traffic volumes increase exponentially within a short time. Therefore, it is important to know whether you are paying for legitimate traffic or attack traffic.
Legitimate traffic is the normal user traffic that is supposed to reach your website. A legitimate traffic payment model ensures that you pay only for legitimate user traffic. Attack traffic, on the other hand, is malicious traffic by hackers intended to overwhelm your website. An attack traffic payment model means that you pay for all traffic reaching your website, legitimate or not.
Paying for attack traffic is particularly a concern if you rely on your CDN provider, your ISP, or your public cloud host for DDoS protection, because these providers charge customers according to the amount of traffic. In such cases you will essentially be paying your provider to be attacked, which can quickly escalate to tens of thousands of dollars (or more) per attack.
In order to protect yourself against such surcharges, it is important to make sure you have cost protection in case of a DDoS attack. Depending on the provider, such price protections might be called ‘cost protection’, ‘unmetered DDoS protection’, or ‘legitimate traffic payment model’.
3. Does it include application-layer DDoS protection?
Broadly speaking, DDoS attacks are divided into network-layer attacks and application-layer attacks. Network-layer attacks are based on layer-3 and layer-4 protocols such as TCP and IP, and include attack vectors such as TCP SYN floods, UDP floods, IP fragmentation attacks, and others. Application-layer attacks, on the other hand, refer to layer-7 DDoS attacks such as HTTP floods or low-and-slow DDoS attacks.
Many DDoS protection vendors – especially ISPs and public cloud providers – only provide protection against network-layer (L3/4) attacks, and do not protect against application-layer attacks at all. Others – particularly CDN-based DDoS vendors – require that you subscribe to expensive add-on services in order to receive application-layer protection.
Modern DDoS protection requires that you be protected against both network-layer and application-layer attacks, and neglecting application-layer defenses will leave you exposed to attack – particularly for public-facing web applications.
4. Are you protected against SSL DDoS attacks?
As more and more web traffic is encrypted, SSL-based DDoS attacks are becoming increasingly more frequent and more harmful. SSL DDoS attacks are particularly potent because they demand large amounts of computing resources from target servers. A single SSL request can require up to x15 more resources from the target server than from the origin computer. As a result, a small attack can result in crippling damage.
Protection against SSL-based DDoS attacks is increasingly important. However, there are still some DDoS vendors which do not provide this type of protection at all. Other vendors – in particular CDN vendors – charge extra fees for SSL traffic (thereby increasing the cost) and require that customers share their full SSL keys (thereby harming user privacy), and decrypt all SSL traffic on the cloud (thereby creating much latency).
It is imperative, therefore, for organizations to make sure they are protected against this potent form of DDoS attacks, and that the protection offered does not impede regular user traffic.
5. Beware Hidden Costs on the Public Cloud
Finally, once you have all your DDoS protections in place, you need to make sure that there are no hidden costs in your policy that can add up to a nasty surprise when the bill is due, especially if you use public cloud infrastructure for your web applications.
As more organizations migrate their workload to the cloud, it is increasingly popular to ancillary use cloud-based services such as load balancing, CDN, storage and databases. Many of these services are charged by the amount of traffic or requests. In case of a DDoS attack, the traffic that goes through these services will skyrocket, as will their associated costs…
Some cloud providers provide limited cost protection against network level DDoS attacks, but that usually does not include application-level DDoS attacks (such as HTTP floods) and ancillary services. In case of an attack, these hidden costs can add up to significant amounts.
The best approach, therefore, is to block bad traffic before it ever reaches the public cloud, so you don’t get charged for cloud infrastructure services. Check your terms to see if you’re covered against such attacks, and consider how you can protect yourself.
What to look for in a DDoS solution
Ultimately, effective protection requires that organizations receive the best coverage, tailored to their needs, at a budget they can afford. Robust defenses must protect against both network-layer and application-layer DDoS attacks, as well as providing protection against increasingly common SSL-based attacks.
However, in order to control costs, organizations should make sure that they are not paying for more traffic than they need, that they are paying for legitimate traffic only, and are not paying any hidden costs, especially if you’re using public cloud infrastructure. Check your DDoS protection bill to make sure that this is indeed the case.
Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.
Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Malware Protection. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Product Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.