Be Certain and Specific when Fighting DDoS Attacks
I was visiting a prospect last week and at the very beginning of the meeting he asked directly, “Why would I consider your products and services over the many others that claim to do the exact same thing?” I immediately said, “That’s easy! Certainty and specificity.” He looked at me, expecting more than a 5-word answer. When I did not provide one, he asked me to please explain. I told him that any number of the products or services on the market are capable of keeping your circuits from being overrun by a volumetric DDoS attack, but that if he wanted to be certain he was not blocking legitimate business users or customers, and if he wanted to be specific about the traffic he was scrubbing, he would need to consider my solution.
Distributed Denial-of-Service (DDoS) attacks have been around for years and continue to be a problem today. What amazes me are the number of products and services available that fight DDoS like it was 1995! These products and services have failed to make significant advancements in defense for over 20 years. They simply rate-limit the traffic so that the circuits never become overwhelmed and your business stays up. It sounds simple enough, so what’s the problem?
The issue is that it’s now 2018 and although many of these products and services have remained stagnant, hackers have not. They understand that they can disrupt business using advanced DDoS tactics that bypass these legacy solutions.
Two points to consider:
- If we are looking for traffic spikes to detect an attack, how do we know it’s actually an attack and not simply a busy time for the business? Maybe our business is experiencing the result of a successful marketing campaign that had pushed more buyers to our website. On the flip side, maybe the hacker is using a low and slow attack on a backend server that takes out that service, but never creates a large enough traffic spike to detect an issue. The answer is that traditional detection methods (rate-based) will not offer you certainty in dealing with next-generation DDoS issues.
- When you rate-limit traffic you are blocking some good traffic from reaching its destination, and you are allowing some bad traffic into your network. Yes, you stay up, but your users may still experience some discomfort. Traditional devices are not able to discriminate bad from good so anything over a certain threshold gets dropped. These devices lack specificity. Why would I not keep all of my good traffic and simply drop the bad?
Volumetric DDoS attacks are still very common today and they are growing in size. These large attacks make the news and get a lot of attention, but they are roughly only 50% of the problem.
The other half of the DDoS story involves new tactics that will not saturate an internet circuit but will take out services inside the network. These can be just as costly depending on the service that is affected. So, if you’re going to fight the problem, you should fight the whole problem, while being 100% sure and specific about what you are fighting.