Despite increased spend, why doesn't DDoS mitigation always work?
Despite increased spend, why doesn't DDoS mitigation always work?
Newly published research suggests that while there has been a marked increase in spending to mitigate against Distributed Denial of Service (DDoS) attacks, organisations are still falling victim. 

The 'DDoS 2017 Report: Dangerous Overconfidence', published today by CDNetworks, reveals that spending on DDoS mitigation in the UK has increased over the last year. Indeed, it says that the average annual spend is now £24,200 and 20 percent of businesses are investing more than £40,000 per year.

While 83 percent of businesses were confident of their resilience against the business continuity threat, despite the greater investment more than half (54 percent) still ended up victims of a successful DDoS attack during the last 12 months that took their website, network or online app down.

According to Kaspersky Lab's Global IT Security Risks Survey 2017, some 33 percent of organisations have experienced an attack this year, twice the number in 2016. While 20 percent were small businesses, 41 percent were enterprises.

Then there's the Neustar Global DDoS Attacks and Cyber Security Insights report which revealed 92 percent of those attacked reported theft of intellectual property, customer data or financial assets; and 36 percent saw malware activation happening during the DDoS attack.

Research by the Imperva Incapsula security team suggests that attack patterns are changing, with high packet rate attacks becoming the norm. An A10 Networks report confirms this to be the case, suggesting that attacks greater than 50Gbps have quadrupled over the past two years and companies experiencing between 6-25 attacks per year also quadrupling in that timeframe.

Given the growing threat, and you only have to look at some of the recent victims such as The National Lottery and Blizzard Entertainment  for example, to realise that DDoS mitigation isn't always working.

SC Media UK put the 'why does DDoS mitigation fail' question to several vendors providing this type of service. But first, we spoke to Alex Nam, managing director of CDNetworks (US & EMEA) who told us there are various reasons including that some forms of DDoS mitigation don't protect against all forms of attack. "A layer 7 DDoS attack, which impacts applications and the end-user," Nam explained, "can only be protected against using web application firewall technology for example." So not understanding the different types of attack, or the types of technology that can be protected, is a reason why DDoS mitigation often fails according to Nam.

Rich Groves, the A10 director of research and development, thinks that the question would be better phrased as 'what causes DDoS solutions to fail in certain instances?' as he insists "otherwise it implies DDoS solutions are failing across the board, which isn't the case." 

Kirill Kasavchenko, principal security technologist (EMEA) at Arbor Network, also thinks that there is an important distinction to be made between whether DDoS mitigation fails or the approach to it does. "As the headlines became more dramatic, more vendors have rushed to claim they have a solution for the DDoS problem," Kasavchenko explains, "this has caused much confusion in the market." So, for example, elements of a layered security strategy such as IPS devices and firewalls address network integrity and confidentiality but not availability. They are stateful, inline, solutions that not only "are vulnerable to DDoS attacks" but "often become the targets themselves." Indeed, Arbor's annual security report shows 40 percent of respondents seeing firewalls fail as a direct result of a DDoS attack.

Meanwhile, Ben Herzberg, security research group manager at Imperva, told SC Media that attackers are "changing tactics rapidly specifically to defeat anti-DDoS solutions, such as hit-and-run and pulse wave attacks" which should come as no great surprise to anyone. James Willett, SVP of products at Neustar, explained that attackers "routinely scout and reconnoitre their targets launching throttled attacks to identify defence response, defence tactics, and defence capacity." Once known, the proper types and sizes of attacks can be readily crafted to overwhelm unsuspecting organisations that lack effective cloud-based mitigation depth.

So what should enterprises be doing to ensure that spending on DDoS mitigation is invested wisely?

"If they haven't already, they should consider a cloud-based DDoS mitigation service that automatically routes traffic through the service and only delivers clean traffic," Ben Herzberg insists, adding "these services are supported by dedicated security staff that track attack patterns on a daily basis and can quickly react to changing attack patterns."

James Willett suggests they need to understand that not all clouds are managed the same. "Organisations can ensure proper investments that reduce impact and minimise disruption risk," he told SC, "by pressing security providers on their management of good and bad traffic." Rich Groves agrees that the focus "should be on vendor performance and solution effectiveness rather than on any particular feature set." The highest-performing DDoS detection and mitigation available to them at the best price range to identify attack traffic and eliminate it, in other words.

But perhaps Kasavchenko has the most straightforward advice of all: "The number one thing to do is work with a DDoS mitigation vendor. Vendors who treat DDoS as an add-on are likely to have very limited capabilities..."