Think of this as a Cyber Security Trend community service. For community members who may not be aware, Austin, TX-based NSS Labs, is one of the world’s highly respected cyber security research and advisory firms. Its offers include the Cyber Advanced Warning System (CAWS)—a cloud service that continuously captures live attacks being used by threat actors, and tests security products against those attacks in real time. Based on this expertise, to paraphrase the old widely popular tag line from long defunct financial services firm E.F. Hutton, “When NSS Labs talks, people listen.”
Given the nefariousness and unfortunate continued popularity of distributed denial-of-service (DDoS) attacks, NSS Labs release of its DDoS prevention solutions Security Value Map (SVM) and Comparative Report series, is something that commands attention. After all, emerging data from a variety of sources is documenting the direct and indirect costs of downtime which can quickly add up to millions of dollars lost per hour and possibly permanent destruction of trusted brand status.
The NSS Labs report provides the first public group test evaluations for DDoS prevention solutions from six leading DDoS prevention solutions providers. These included the:
- Arbor Networks APS 2800 v5.8.1
- Corero SmartWall v8.10.248
- F5 BIG-IP 10250v v12.0.0
- Fortinet FortiDDoS 2000B v4.1.10
- Huawei AntiDDoS8030 V500R001C00SPC600
- Radware DefensePro 1006 v6.12.01
They were put through their paces looking at volumetric, protocol and application DDoS attacks based on solution security effectiveness, performance, and total cost of ownership (TCO).
It could be said that the good news is that the DDoS prevention solution market is $481M with a 13 percent CAGR. Another interpretation that resonates, equally if not more so, is that the growth in the solutions market means that DDoS attacks is a reflection that this server and network flooding scourge of IT security professionals worldwide remains not just prevalent but is growing.
In fact, while the vendor evaluations are important regarding recommendations based on comparisons, the findings about the changing nature of DDoS are things community members should find illuminating.
DDoS views you can use
First, and at a high level, historically, DDoS protection meant protecting an enterprise’s internet presence. What the results highlight is that DDoS attacks are now targeting applications inside enterprise networks. To make matters more problematic, while average protection against volumetric and protocol attacks ranged were 94.4 percent and 95.1 percent respectively, the average protection against application attacks was only 80 percent.
NSS Labs explains that it also tested the stability and performance impact of solutions, i.e., the ability of a solution to maintain performance while defending against an attack. As they say: “This gives enterprise buyers a key additional element for evaluations – the ability of the solution to not only detect and mitigate the attack, but to also allow legitimate traffic while the attack is being suppressed.” They add that, “While vendors have largely become adept at protecting against traditional volumetric attacks with little performance impact, stopping a protocol attack can impact performance by as much as 92.5 percent.” In a word, “YIKES!”
NSS in its evaluation process takes a holistic approach which means they are looking at not just technology but also at price performance based on what is describes as “street prices.” Interestingly, this includes vendor discounts in competitive bid situations, and in this comparison solution discounts ranged from 12 percent to 42 percent, while hardware-only discounts ranged from 13 percent to 50 percent.
In terms of the vendor evaluations:
- Three of the six products achieved Recommended status
- Overall Security Effectiveness ranged from 48.0 to 90.4 percent
- There was, as noted above, effective protection against volumetric and protocol attacks, but weaker protection against targeted application attacks
- The average overall performance impact for solutions under attack was 11.0 percent, with individual solution impact ranging from 0.4 percent to 40.5 percent
- The average total cost of ownership (TCO) per protected megabit per second was US$21, with individual vendor TCO ranging from US$4 to US$84
“DDoS attacks are a top concern for large enterprises and they’ve consistently urged us to include DDoS prevention solutions on our Group Test roadmap,” said Mike Spanbauer, Vice President of Security Test & Advisory for NSS Labs. “This was our first public test of these solutions and the insight we’re now able to provide our customers is going to significantly improve their ability to select and deploy the best solutions for their environments.”
For those interested in the SVM and corresponding report results, how your vendor, or one you wish to evaluate, stacks up can be accessed here. It obviously is up to community members to figure out whether the functions, performance and TCOs are within your organization’s purchasing zone of reasonableness.
Based on numerous reports on the number and severity of DDoS attacks in the past year, and the morphing of the attacks, more and more organizations are going to want to upgrade their protection. It is likely that increasingly when it comes to DDoS the cost of prevention far outweighs the impacts of what happens when bad things happen.
In fact, on a note unrelated to this evaluation, but something several industry experts have asked me to pass along to community members is the disturbing trend that DDoS attacks are no longer just about filling the pipes and servers and bringing things to a halt. Less than full-force attacks are now being used as sophisticated diversions by the bad guys to keep IT pre-occupied while they compromise other important digital assets. Stay tuned for more details on that one.