Why ‘Free’ DDoS Protection Can be the Most Expensive
The promises are enticing and the price is unbeatable; after all – who can beat the price of ‘free’ ?
As service availability becomes more and more of a customer concern, it has become common for internet service providers (ISPs), content distribution networks (CDNs) and public cloud providers to offer ‘DDoS protection’ for free, as part of their service bundle.
What those service providers don’t tell their customers, however, is that this free protection can end up being the most expensive, should you come under attack.
DDoS attacks frequently result in loss of availability, loss of customers, abandoned shopping carts and loss of reputation, so the upfront savings in protection can lead to much larger costs down the road.
Free (or low cost) DDoS protection is frequently offered by connectivity and computing providers, who bundle it together with their infrastructure services. This typically includes ISPs, CDNs, and public cloud infrastructure-as-a-service (IaaS) providers.
However, there are several key areas in which ‘free’ DDoS protection frequently falls short of dedicated security services.
There is no way around it: when you buy something for free (or very cheap), you usually get what you pay for.
The main concern of infrastructure service providers is selling their core computing services such as internet connectivity, content distribution, or cloud computing. From their point of view, DDoS protection is a loss leader to enable higher sales. Consequently, they frequently provide only the simplest, most basic protections which cost them the least.
For example, one large public cloud provider has no qualms about declaring that their free tier provides protection only against the ‘most common, frequently occurring network and transport layer DDoS attacks’. Higher levels of protection, on the other hand, require high costs.
As a result, free DDoS protection tiers usually do not provide protection against advanced DDoS attacks such as burst attacks, dynamic IP attacks, multi-vector attacks, IoT botnet attacks (such as Mirai), DNS attacks, SSL attacks or other zero-day DDoS attacks. This leads to inferior protection, and leaves customers exposed should they face a sophisticated attacker.
Another key problem with ‘free’ DDoS protection services, apart from the level of security, is the limited coverage they offer.
Frequently, such services are limited to rudimentary network-layer (L3/4) DDoS attacks. However, they usually do not protect against application-layer (L7) DDoS attacks which target the applications themselves, such as HTTP/S DDoS floods, DNS attacks, low-and-slow attacks, and so on.
Application-layer DDoS protections, to the extent they are offered at all, will frequently require separate add-on costs (or the purchase of a WAF service), and are usually limited to simple rate-limiting of incoming HTTP/S connections.
Moreover, as the service providers’ main interest is to sell more of their other services, their DDoS protections will be limited to coverage of their services only. For customers who use multiple providers (such as multiple CDNs, ISP, or public clouds), this will lead to varying levels of protection for different assets, inconsistent security policies, and fragmented management & reporting.
No Service Commitments
Another way in which free DDoS protection services save money – and compromise security – is in the service commitments they provide to customers.
Your DDoS protection service is only as good as the service guarantees your provider is willing to commit to. Such service commitments are usually documented in the Service Level Agreement (SLA) associated with the service.
This is why most free (or low cost) DDoS protection either provide no SLA at all, or provide ‘best effort’ SLA. Frequently such SLAs will not include any commitment to attack detection times, mitigation times, or quality of mitigation (i.e., measuring the ratio between good and bad traffic that is being allowed through).
This means that if the service provider doesn’t live up to their marketing promises, there really isn’t anything that the customer can do about it, and no remedy to their problem.
An enterprise-grade SLA should include service commitments which are not only specific, but measurable (i.e., that there is a clear, understandable manner to measure to them), and also explain what are the service remedies in case these SLAs are breached.
Not including specific and measurable metrics for detection, mitigation, and response in the SLA of a DDoS protection service should raise alarm as to the actual quality of security it provides.
Lack of Security Expertise
Finally, as ‘free’ DDoS protection vendors are usually not dedicated security providers, they frequently lack the expertise and know-how to effectively deal with cyberattacks.
Although such service providers might be experts in their respective fields (such as internet connectivity, content delivery or cloud computing), security is frequently a side-business for them. DDoS attacks, however, are a specific category of cyberattack, with distinct characteristics, customer impact and methods of mitigation.
Consequently, such vendors are frequently not up-to-date with the latest attacks, trends or tools, and don’t have rich experience in dealing with a wide variety of DDoS attacks.
From a customer point of view, this means that free DDoS protection services will not be able to handle attacks as quickly or as efficiently as needed, and may not know how to effectively deal with complex attacks, leaving customers exposed for longer.
The Price is Promising, But…
Ultimately, when you buy something for free, you usually get what you pay for. DDoS attacks are a unique type of cyberattack, and protection against DDoS attacks is a dedicated discipline within cybersecurity. Although many vendors promise ‘free’ DDoS protection, this type of service is usually a side-business for them, and an add-on for their main product line.
As a result, this type of ‘free’ protection comes at the cost of inferior protection, limited coverage, basic service commitments, and limited security expertise, which may end up being far more expensive down the road.