Why ISP DDoS Services Typically Fail

Over the last couple of years, I wrote about DDoS attacks several times—with good reason. They are increasing in size and intensity. Each year more homes are connected to the Internet; consumers and businesses increase their access connection bandwidth; and more devices are online at each connection. With all these connected devices, many of which have little to no protection, the field is ripe for threat actors to harvest DDoS attack hosts, a.k.a. bots.

There are multiple strategies ranging in cost and efficacy for defending Internet properties and applications against DDoS attacks. With DDoS attack defense, you really get what you pay for. Aside from the roll-the-dice approach, which is doing nothing and hoping you don't become a target, the next-lowest cost option organizations turn to is using their ISP as their first and primary line of defense.

It is important to understand that though using an ISP can be better than nothing, in the case of low-level attacks there may be limitations for medium- or large-scale volumetric attacks, application attacks, and identifying the back door attacks if the DDoS is used as a smoke screen.

When choosing a DDoS protection solution, the first step is to determine how you are going to approach it: on-premises, cloud scrubbing or hybrid. If you are looking for a cloud-only solution, first determine the limitations on the providers’ bandwidth they can absorb and scrub both in their entirety and on a per client/incident basis. Next, ask the provider what their course of action is if that capacity is exceeded. Often in the case of a lower tier scrubbing center or a tier 2 ISP, once the attack exceeds the provider’s bandwidth rate or infrastructure capacity, the provider will “black hole” the traffic destined for your IP space. The term black-hole is just what it sounds like. Using one or more various network routing techniques, they block or route all traffic destined to you to nowhere, dropping it off the grid. They do this to maintain their other customers’ connections and thus those relationships. They cannot allow your issue to affect the other customers. The net result to you is the same as if you had no protection, because while traffic is black holed your web application is out of service. Lastly, ensure you know what the provider’s activation time is. Are they always on, or is the service automatically activated based on some predetermined condition, or does it need to be manually activated?

[You might also like: The Cost of a DDoS Attack on the Darknet]

When evaluating an on-premises solution, ISPs are generally limited to any OEM agreements they have in place for third-party solutions. For selection, you will need to investigate purchasing a solution from a channel partner, VAR, integrator, or directly from a vendor. Raw throughput to address volumetric DDoS is a consideration but not the primary one. For a volumetric attack, it’s a moot point to have the capacity of the appliance exceed the capacity of your Internet connection. It is more important to ensure the appliance can inspect and manage protocol and application-level attacks, which are becoming far more common. Since the ISP services function on OSI layers 3 (network) and 4 (transport), these more advanced techniques just appear as “traffic” to the ISP. So long as the volumes operate within acceptable parameters, the protocol and application attacks have a significant probability of sneaking by.

Effective hybrid DDoS defense requires a significant partnership between on-premises equipment and the cloud scrubbing. Though this can be cobbled together with manual processes, that approach is highly inefficient and fraught with opportunities for failure. If you ISP has a preferred vendor with which it has integrations, carefully evaluate the performance of the solution. If not, you will need to look for a vendor that offers a hybrid DDoS protection solution. A native, rather than partnered solution usually works better, but test the claims. Ask for a reference customer.

Ultimately you need a solution with full OSI model spectrum of visibility; specifically, the layer 7 (application) intelligence to dissect and differentiate application communications to only remove the bad traffic. To gain surgical removal of undesirable traffic, you have to look for a DDoS mitigation partner with the scale to address the large attacks before they reach your valuable web properties and the finesse to detect application- and protocol-level attacks early so they can be addressed early in the attack while allowing the rest of the business traffic to reach its intended location. This requires a strong hybrid model using both on-premises appliances for early detection of application- and protocol-level attacks and an Internet service for capturing volumetric attacks.