DDoS Mitigation: The Definitive Buyer’s Guide
DDoS Mitigation: The Definitive Buyer’s Guide ImpervaWhat is DDoS mitigation?
The term ‘DDoS mitigation’ refers to the process of successfully protecting a target from a distributed denial of service (DDoS) attack.
A typical mitigation process can be broadly defined by these four stages:
- Detection—the identification of traffic flow deviations that may signal the buildup of a DDoS assault. Effectiveness is measured by your ability to recognize an attack as early as possible, with instantaneous detection being the ultimate goal.
- Diversion—traffic is rerouted away from its target via DNS (Domain Name System) or BGP (Border Gateway Protocol) routing, and a decision is made whether to filter it or discard it altogether. DNS routing is always-on, so it can respond to attacks quickly, and is effective against both application-layer and network-layer attacks. BGP routing is either always-on or on-demand.
- Filtering—DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls and search engine bots) and malicious visitors. Responsiveness is a function of your being able to block an attack without interfering with your users’ experience. The aim is for your solution to be completely transparent to site visitors.
- Analysis—system logs and analytics can help gather information about the attack, both to identify the offender(s) and to improve future resilience. Logging is a legacy approach, which can provide insights but is not real-time and can require detailed manual analysis. Advanced security analytics techniques can offer granular visibility into the attack traffic and instant understanding of attack details.
Choosing a mitigation provider
There are several other key aspects you must consider when choosing a mitigation provider. These include:
Network Capacity
Network capacity remains a great way of benchmarking a DDoS mitigation service. It reflects the overall scalability available to you during an attack
For example, a 1 Tbps (terabits per second) network can theoretically block up to the same volume of attack traffic, minus the bandwidth required to maintain its regular operations.
Most cloud-based mitigation services offer multi-Tbps network capacity—well beyond what any individual customer might ever require. On-premise DDoS mitigation appliances, on the other hand, are capped by default—both by the size of an organization’s network pipe and the internal hardware capacity.
Key features:
- Available bandwidth—measured in Gbps or Tbps available to protect against an attack. An attack exceeding the bandwidth of your DDoS provider will hit your servers.
- Deployment model—cloud-based or on-premise solution. Cloud-based solutions are elastically scalable and can defend against high-volume DDoS attacks.
- N/A
- Low
- Medium
- High
Processing Capacity
In addition to throughput capacity, consideration should also be given to the processing capabilities of your mitigation solution. They’re represented by forwarding rates, measured in Mpps (millions of packets per second).
Today it’s not uncommon for attacks to peak above 50 Mpps, with some reaching as high as 200—300 Mpps and more. An assault exceeding your mitigation provider’s processing power will topple its defenses, which is why you should inquire about such a limitation upfront.
Key features:
- Forwarding rate—measured in Mpps. An attack exceeding the forwarding rate of your DDoS provider will hit your servers.
- Forwarding technique—DNS or BGP routing. DNS routing is always-on, and can protect against both application-layer and network-layer attacks. BGP routing can protect against virtually any attack, and can either be always-on or activate on-demand.
- N/A
- Low
- Medium
- High
Latency
It is critical to understand that at some point, legitimate traffic to your website or application will pass through the DDoS provider’s network:
- If DDoS services are on demand, traffic switches over to the DDoS provider when an attack occurs
- If DDoS services are always on (which has significant advantages), all your traffic will pass through the provider’s servers
The connection between your data center and your DDoS provider must be very performant, or it can result in high latency for your users. You should evaluate:
- Which geographical points of presence (PoP) does the DDoS provider offer and how close are they to your data center(s)
- Whether your DDoS provider offers PoPs where your main customer base is located
- Whether the DDoS provider offers the most advanced routing techniques to ensure optimal connectivity with your data center and your users
The first point is the most important – consider, for example, a company based in India, working with a DDoS service that only has PoPs in Europe. Every user request will have to travel to the European PoP, from there to the data center in India, back to the European data center, and back to the user.
This will happen even if the user is actually based in Europe. If the user, like the company in our example, is based in India or another unsupported location, latency is multiplied.
Two options:
- Always on – always goes to DDoS mitigation provider
- On demand – when there is an attack
- N/A
- Low
- Medium
- High
Time to Mitigation
Once an attack has been detected, time to mitigation is critical. Most assaults can take down a target in a matter of minutes and the recovery process can take hours. The negative impact of such downtime can potentially be felt by your organization for weeks and months ahead.
By providing preemptive detection, always-on solutions have a distinct advantage here. They offer near-instant mitigation—often protecting organizations from the first salvo during any assault. Look for a solution that can respond to an attack in seconds.
But not all always-on solutions offer such a response level. This is why inquiring about time to mitigation should be on your checklist when evaluating a DDoS protection provider, in addition to testing it during a service trial.
How important is it for your business?- N/A
- Low
- Medium
- High
Network Layer Mitigation
Network layer DDoS attacks are volumetric in nature – they rely on very large scale traffic that can cause bigger damage to your infrastructure. There are several methods DDoS providers use to mitigate network attacks. All these methods have the goal of separating legitimate traffic from malicious traffic, getting rid of malicious packets while allowing legitimate packets to reach their destination.
Check which methods are supported by your DDoS mitigation provider:
- Null routing—null routing (a.k.a., blackholing) directs all traffic to a non-existent IP address. Its downside is that it’s likely to cause a high ratio of false positives—the disposal of malicious and legitimate visitors alike.
- Sinkholing—this method diverts malicious traffic away from its target, usually using a list of known malicious IP addresses to identify DDoS traffic. While not as indiscriminate as null routing, sinkholing is still prone to false positives since botnet IPs can be also used by legitimate users. Moreover, sinkholing is ineffective against IP spoofing — a common feature in network layer attacks.
- Scrubbing—an improvement on arbitrary sinkholing, scrubbing routes all ingress traffic through a security service. Malicious network packets are identified based on their header content, size, type, point of origin, etc. The challenge is to perform scrubbing at an inline rate without causing lag or otherwise impacting legitimate users.
- IP masking—this method prevents direct-to-IP DDoS attacks by hiding the IP of your origin server.
- N/A
- Low
- Medium
- High
Application Layer Mitigation
Application layer (OSI layer 7) DDoS attacks are much stealthier than their network layer counterparts, typically mimicking legitimate user traffic to evade security measures. To stop them, your solution should have the ability to profile incoming HTTP/S traffic, distinguishing between DDoS bots and legitimate visitors.
Key features:
- Multiple inspection methods to identify legitimate traffic—the service should check IP and Autonomous System Number (ASN), provide cross-inspection of HTTP/S header content, and inspect behavioral patterns, to see if each session is a legitimate user session or part of a DDoS attack.
- Multiple challenges—many security services use challenges to test if traffic is malicious or legitimate, such as testing each request for its ability to parse JavaScript and hold cookies. Ensure the service doesn’t overuse CAPTCHAs, “delay pages” and other filtering methods that can annoy legitimate visitors and hurt website engagement.
- N/A
- Low
- Medium
- High
Protection of Secondary Assets
Your network infrastructure likely comprises a number of servers and other IT assets. These may include web servers, DNS servers, email servers, FTP servers and backoffice CRM or ERP platforms. In a DDoS attack scenario, they might also be targeted by a perpetrator, causing downtime or otherwise paralyzing your business.
Assess your entire network infrastructure risk and determine which components need to be protected. At a minimum, bear in mind that your DNS service is one of the most common attack targets and your single point of failure.
Key features:
- DNS name server protection—protecting against DNS flood and other DDoS techniques aimed at crashing or disrupting DNS name servers.
- Application protection—protection of common applications like email, FTP, CRM, ERP.
- N/A
- Low
- Medium
- High
Protection of Individual IPs
Traditionally, cloud-based DDoS protection services were only able to protect entire IP ranges. It was difficult to extend this protection to specific cloud environments and assets, down to the level of individual IP addresses.
Advanced DDoS services offer protection for individual IPs, allowing you to register a public IP or domain name, add the DDoS service to your DNS configuration, and enable immediate protection of that specific IP.
How important is it for your business?- N/A
- Low
- Medium
- High
Pricing and SLA
Pricing for DDoS mitigation services range from pay-as-you-go to flat monthly fees:
- Pure “pay as you go” pricing – this can be attractive because it costs nothing if you aren’t attacked. But if an attack happens, you can incur major expenses for the cloud resources used to mitigate the attack. You may need to request a refund for those resources, and it’s important to understand in advance under which circumstances a refund will be provided.
- Pay as you go based on attack volume – pricing based on cumulative attack bandwidth (e.g., 50 Gbps/month) or cumulative number of hours under attack (e.g., 12 hours/month). Since a DDoS assault can last several hours or days (and sometimes weeks), such costs can quickly get out of hand.
- Service-based pricing – some enterprise offerings include a base price for DDoS protection, with special pricing for services like implementation, provisioning, etc. While these services can be valuable for your organization, be aware that they are part of the cost of your DDoS mitigation solution, and should be factored into your Total Cost of Ownership.
- Simple flat monthly fee – this is the preferred option for long-term agreements. Make sure the flat fee includes full coverage for all relevant attacks.
Other factors to consider when comparing prices:
- Different providers have different capacities in different scrubbing centers, and the net capacity across all the scrubbing centers may not be a good reflection of the scrubbing center attack mitigation capacity in the geography of your interest (where your data center is located).
- The mitigation provider’s service level agreement (SLA) is another important consideration—sometimes more so than the price.
Key pricing features:
- Uptime guarantee—five nines (99.999%) represents the best case. Anything below three nines (99.9%) is unacceptable.
- Protection levels—as described herein, the provider’s SLA should define attack types, size and duration that it covers.
- Support service level—the SLA should spell out the provider’s response times for support issues. These are usually defined based on problem severity levels.
- N/A
- Low
- Medium
- High
Support
Even if your DDoS service is fully automated, which is preferred because it allows fast response to an attack, make sure your provider offers professional support services. When an attack happens, you may need to talk to your provider to understand what is happening and resolve critical issues affecting your legitimate traffic.
Ensure your DDoS mitigation service operates a Security Operations Center (SOC) with security specialists available on call 24x7x365 for emergency assistance.
How important is it for your business?- N/A
- Low
- Medium
- High
Generalist or Specialist
A diverse range of technologies, services and providers comprise the DDoS mitigation market.
Specialty companies having a security focus provide more advanced solutions—typically with experts dedicated to ongoing security research and round-the-clock monitoring of new attack vectors.
Generalists, such as ISPs and hosting providers, offer basic mitigation solutions as an “add-on” to their core services, with the aim of upselling them to existing customers.
Mitigation services offered by generalists may be adequate for small, simple attacks. But if your online applications are essential to day-to-day business operations, a specialist DDoS protection provider is the best and lowest risk choice for your organization.
At the same time, when selecting a security vendor, you should consider their additional security offerings. A well-rounded provider will offer, in addition to DDoS mitigation, other security solutions such as application security, data security, and network protection. Prefer a DDoS product that comes integrated with additional security features, giving your organization a well-rounded security solution.