Search blog for

Why DDoSers Have Their Eyes on SaaS, and What You Can Do About It

In recent years Software as a Service (SaaS) emerged as one of the most targeted online industries. This isn’t particularly surprising as, for several key reasons, SaaS companies are especially vulnerable to DDoS attacks.

In this post we’ll talk about:

  • What makes SaaS companies so attractive to perpetrators
  • What are the typical DDoS threats SaaS companies have to face
  • Basic steps SaaS companies should take to minimize the threat

Free Download >> Incapsula’s Guide to Protecting SaaS Apps from DDoS Attacks


Whack-a-SaaS to Win Instant Internet Notoriety

The reason SaaS companies are attractive targets to DDoS attackers is simple: service availability is a critical part of their business model.

Simply put, if a service is unavailable, SaaS customers are not getting their money’s worth, while still paying a retainer fee for the product.

In such situations customers are much more likely to become dissatisfied, to a point where they decide to take their business elsewhere, severely impacting the SaaS company’s revenues and reputation.

Going offline is bad for any organization, but for a SaaS company, its entire business can quickly be in jeopardy.

Perpetrators are often aware of these sensitivities and therefore are more likely to exploit this weakness- especially if they’re motivated by money.

They assume that SaaS companies can’t afford downtime that might stretch out for days; that it would be cheaper to pay a ransom demand and end the attack.

Another reason miscreants go after SaaS outfits is to make headlines. When a large one gets knocked offline- leaving thousands of customers without access to key products- it’s often reported by tech sites with global readership, such as TechCrunch , Mashable or CNET.

A high-profile attack like that is a shortcut to instant notoriety’s way to gain respect of their hacker community peers, generate buzz on social media and further publicize their name (e.g., Lizard Squad).

A series of attacks on SaaS companies.

Common Threats: Layer 7 and DNS DDoS Attacks

Broadly speaking, DDoS attacks can be categorized into two types: application layer (OSI layer 7) and network layer (OSI layer 3-4) attacks.

The former are typically volumetric threats that target the server infrastructure, aiming to clog the network pipes (e.g., SNMP amplification attack). The latter are stealthy attacks, executed by malicious bots that target the application itself (e.g. ,HTTP flood).

While both threats have the ability to knock a SaaS company offline, application layer attacks are usually a bigger threat. This is because SaaS applications are generally much more complex than regular websites, as well as the fact that some of them are using OS applications with known vulnerabilities.

Among the most common SaaS platform threats are DNS floods—a layer 7 DDoS assault directed at name servers, typically one of the weakest SaaS infrastructure links.

Because they often reside outside of the core infrastructure, name servers often aren’t covered by the same security measures as their web application offerings, resulting in easier targets to penetrate.

Moreover, DNS floods don’t require a full three-way handshake, so attackers can use spoofed IPs to circumvent common defense measures (if they even exist).

Mitigating a massive DNS flood, peaking at over 25Mpps

Mitigating a massive DNS flood, peaking at over 25Mpps (million packets per second)

How SaaS Companies Can Protect Themselves

With an average DDoS attack cost reaching $40,000/hour, not including indirect costs such as damage to reputation and customer satisfaction, SaaS companies can’t afford to not implement DDoS mitigation solutions.

The first precautionary step you should take is to create a DDoS response plan to help you do the following:

  • Designate your company’s DDoS response team
  • Identify mitigation tools and resources at your disposal
  • Put down on paper basic “under attack” procedures
  • Identify potential weak spots and single points of failure
  • Strategize with your ISP to see what kind of protection it can offer
  • Create a routine to test your company’s readiness

Having said that, the DIY approach will only take you so far. Ultimately, what you`ll really need to do is implement a dedicated DDoS protection solution, which can identify and counter the threat.

Broadly speaking, the effectiveness of anti-DDoS solutions relies on three key criteria:

  1. Time it takes to identify and respond to the threat, which is absolutely crucial in the case of DDoS attacks, where each second passed plays to the perpetrators’ advantage.
  2. The ability to counter the threat, which often relates to the scalability factor (for layer 3-4 attacks) and the effectiveness of bot filtering measures (for layer 7 attacks).
  3. Its ability to minimize false positives, by accurately filtering legitimate traffic from malicious traffic. Having a high false positive ratio means that, while countering the attack, you’re also denying access to a significant percentage of your human visitors. If this is the case, even as you protect yourself, you’re still allowing the perpetrators to partially achieve their goal – trading “denial of service” for a “disturbance of service.”

Further Reading: Incapsula Guide to Protecting SaaS Apps from DDoS Attacks

Incapsula’s Guide to Protecting SaaS Apps from DDoS Attacks is filled with useful information to help SaaS companies understand exactly where they’re vulnerable to DDoS attacks, as well as recommending what they can do to integrate DDoS mitigation with existing business strategy. Download your free copy today, and contact us any time you have additional questions.