Recently, Neustar, a provider of real-time information services, released the findings from its fourth annual Worldwide DDoS Attacks and Cyber Insights Research Report. The report documents the frequency and cost of attacks and what measures are being taken to counter these threats. It is interesting to note that their trends include:
- 45% of DDoS attacks were more than 10 gigabits per second (Gbps); and, 15% of attacks were at least 50 Gbps, almost double the number reported last year.
- 849 out of 1,010 organizations were attacked with no particular industry spared, an increase of 15% since 2016. 727 – 86% of those attacked – were hit more than once.
- 40% of respondents reported receiving attack alerts from customers, up from 29% in 2016.
This is scary stuff. Companies must immediately purchase more DDOS protection services, expand their data center bandwidth, and all will be well. Right? Perhaps. Let’s step beyond the hype and examine the true business implications.
Clearly, there’s an explosion in the use of internet of Things (IoT) devices, of which many are insecure and can be exploited by attackers. They can then be used as DDOS zombies. This has already happened in one significant case, the DDOS attack on Dyn.
So, what should a company do? They should follow a risk-based methodology to judge cost and weigh it against benefits and ways to address the risk. Let’s see how one might do that:
Are you a company that does business world-wide or in a more geographically limited area? If the latter, you might consider blocking access from systems outside that area. It reduces the attack surface significantly. The thoughtful reader may point to IP spoofing (a good point), but this then makes the attacker have to tune their attacks to only generate IP addresses from your area of business.
What is the actual cost to your business during a DDoS attack? Is it services deferred or services diverted? That is, are you in a market position where people will come back later to avail of the services? Or will they simply go elsewhere? If you’re in the former position, the “cost” of a DDoS attack is significantly lower than that of the latter case.
Be wary of the “reputational harm” hype. It is hard to quantify. Take some time to understand what it means to you. For instance, if you’re a gaming site and you’re hit by DDoS attacks, it could mean the end of your business. If you’re a niche site that caters to ham radio operators in Austria, perhaps not so much.
Be cautious of vendors who say the correct answer is to expand your DDoS protection services. That may not be the right answer. Determined attackers clearly have the ability to point more IoT devices at you than most reasonable DDoS protection services can handle. But that’s the corner case. Try and estimate what your “average” case DDoS is, what the worst case is, and the costs of each. You don’t always have to prepare for (and pay for!) the worst case.
It’s not always the volume of a DDoS attack that’s a concern. It’s the type of DDoS. Before you make investments, see if you are at risk for just a flood of DDoS traffic or to the newer short-burst DDoS attacks. If the latter, you don’t need to worry as much about purchasing additional services, but instead tune your existing services more sharply.
How about cyber-insurance? Are you covered for certain (which?) costs of a DDoS attack? What premiums do you have to pay? What benefits do you receive on the first attack and subsequent attacks? Carefully analyze this as you would personal car insurance, if not more so.
Once you have performed your risk/reward analysis, you can decide how to proceed from a technology / services perspective. But the job isn’t done yet. DDoS protection isn’t a “buy it and forget it” proposition. There are other controls you need to ensure you have in place and test, such as:
What thresholds will you have on your service? Will you accept the defaults or does your company have special needs? Also, will you tune them prior and following important product releases?
What is your fallback plan? You must prepare for the service to fail. Do you have a secondary, lesser functionality infrastructure you can use? Is it tested? For how long can you use it?
Do you have an incident response plan? Does it cover: internal communication protocols (phone lines within your enterprise may be down), establishment of an incident response team, dealings with the press, regulators, customers and consumers, and crisis response? There’s no point having a DDoS mitigation service, if, in the heat of the moment, nobody knows who makes critical decisions.
Do you stress test your controls and processes, whether with tabletop exercises or live fire tests, to ensure that you are truly prepared for an incident?
To conclude, protecting against DDoS attacks isn’t as simple as purchasing DDoS mitigation services, or expanding their use. It’s a careful, thoughtful assessment of your corporate risk, an analysis of all your technology and administrative controls, the careful procurement of appropriate mitigation services, and rock solid processes to support them. Don’t let anyone tell you otherwise.