WP The pitfalls of relying only on your ISP for DDoS protection | Imperva

The pitfalls of relying only on your ISP for DDoS protection

The pitfalls of relying only on your ISP for DDoS protection

Relying on your Internet Service Provider (ISP) for DDoS protection is like going to a restaurant known for the freshest, tastiest seafood and ordering beef. Sure, they have it on the menu and they are happy to sell it to you, but the experience is not likely to compare well to what you’d have in a fine steak house.

To be sure, ISPs have good reason to provide their users with DDoS protection services. ISPs with a better track record of mitigating DDoS attacks enjoy a better reputation for security, which improves sales and allows them to charge more. They can then use their increased earnings to invest in better DDoS solutions. The cycle reinforces itself.

This is a simplified version of how things should go. Reality is often vastly different. ISPs are rarely able to provide best-in-class security to their users. As I said, while DDoS protection is an important value-add for ISP providers, cybersecurity is not their core expertise. This leads to understandable compromises that impact the quality of the security they can offer.

The 2021 DDoS Threat Landscape Report shows attacks are constantly evolving in size, volume, frequency, and complexity. What doesn’t change is the attackers’ focus: the infrastructure their targets depend on most. That could be customer-facing applications, cloud services, network infrastructure, or an ISP itself. As organizations continue to pursue digital transformation, the technologies that drive this – cloud services, mobile networks, and IoT devices – are becoming targets for DDoS attacks. New vectors are being weaponized all the time, and ISPs are finding it difficult to stay on top of an ever-changing threat landscape.

In this post, we’ll examine the growing complexity and volume of the DDoS landscape, and explain why organizations should think critically about augmenting the DDoS protection provided by their ISP with technology that secures all assets at the edge and ensures uninterrupted business operations.

All DDoS attacks are not created equal

What if every cyberattacker in the world shared a single DDoS attack strategy and never changed their plan? In this scenario, it would be easy to provide a single DDoS mitigation solution that would be enough to guarantee users’ protection. In the real world, there are many different DDoS attack approaches, types, and motivations. The cybercriminals who perpetrate these attacks span the range from opportunistic vandals to sophisticated state-sponsored professionals using state-of-the-art equipment. The difference between an ISP-based solution and a specialized cloud-based solution is similar to the difference between a simple home burglar alarm and a professionally installed home security system that calls 911 for you the moment it detects an intruder. Choosing a purpose-built, cloud-based DDoS protection system allows users to enjoy protection from the largest and most sophisticated cyberattacks. Often the ISPs themselves are vulnerable to the very attacks they are supposed to mitigate.

Large-volume DDoS attacks can overwhelm on-premises mitigation solutions

Most current DDoS attack mitigation solutions offered by ISPs monitor and analyze traffic for signs of DDoS activity, carried out at a single link connecting the victim and its ISP. In a small to medium-sized attack scenario, this might be sufficient. In the event of a more complex attack, the “single-point” mitigation approach creates a bottleneck, allowing cybercriminals to surpass the memory and computational power of the DDoS mitigation solution.

Most ISPs are not able to equitably distribute these attacks across multiple points of presence within their network, making it difficult to defend against the largest attacks. As the complexity and volume of the DDoS landscape grows, attacks quickly outstrip a single-point on-premises DDoS mitigation solution to thwart an attack.

ISPs struggle to offer the same results as cloud-native solutions

Many ISP providers offer a “clean pipe” solution that blocks volumetric attack traffic before it enters the organization’s network. The effectiveness of this system is highly dependent on the location of the on-premises server doing the scrubbing.

Relying solely on an on-premises solution at the ISP level limits the physical location of the scrubbing center to the data centers that are already part of the ISPs infrastructure. Setting up a global content delivery network (CDN) for best-in-class DDoS mitigation is not viable for an ISP whose core value is delivering fast Internet connections to its users.

DDoS mitigation is not their core competency

Organizations can become the victims of collateral damage when ISPs fail to respond effectively to massive DDoS attacks. Even if the ISP’s solution is robust enough to prevent a total outage, latency becomes an issue when much of the ISP’s infrastructure is dedicated to fighting DDoS attacks in real-time.

There is always a trade-off between utility and security. Every digital resource dedicated to defending against the attack is a resource not dedicated to serving legitimate users.

ISPs do not always know their users’ applications

ISPs do not generally have the ability to build profiles of their users’ web and app-based applications. They may not have the insight necessary to distinguish between normal HTTP, secured HTTP, and APP-based data transfer rates and behaviors.

Without committing fully to a proxy-based web application firewall solution, there is no way to prevent legitimate users from being blocked during the mitigation of a DDoS attack.

Many organizations have compliance requirements that specifically prohibit them from implementing DDoS mitigation strategies that cannot make these kinds of distinctions. For these organizations, a customizable cloud WAF solution is the only solution they can consider.

SSL inspection creates critical latency

ISPs do not want to increase latency, yet they must perform some level of SSL inspection to protect against SSL DDoS attacks. This creates another trade-off situation where users’ security may not take priority over the economic profitability of offering users latency-free operation.

Maintaining an SSL proxy for always-on decryption is expensive in terms of latency. Most on-premises equipment tries to mitigate this expense by challenging SSL responses only when actively under attack. This kind of approach guarantees compromise, risks overprovisioning expenses, and potentially creates additional compliance issues for organizations.

“Blackholing” traffic cuts off legitimate users

Routing traffic away from the intended target to avoid exceeding uplink capacity can help mitigate DDoS attacks. The “black hole” method, however, will block traffic indiscriminately, keeping legitimate users away from the websites and apps they are trying to access. Many ISPs rely on this method because they do not have a viable way to improve their existing infrastructure the way a dedicated cloud-based security provider like Imperva can.

This approach effectively blocks out legitimate users in the process of mitigating an attack, whose sole purpose is blocking legitimate users. Instead of the cybercriminals doing it, the ISP does it on their behalf, defeating the point of mitigation for that group of users.

ISPs lack rate limiting capacity

Have you ever sent an incorrect page request to your site? What happens? You most likely receive a “404 page not found” error message. That error message is generally served by your webserver. Now imagine sending a billion such incorrect requests. Note that these are perfectly valid requests with no malicious payload. So a WAF won’t trigger any rule on it, but it still has the potential to bring down your web server because it would be too busy sending 4xx.

Due to a lack of functionalities like rate limiting on HTTP/HTTPS requests, ISP’s aren’t able to prevent such attack types. Those who can offer rate limiting often do so based only on IP – so if traffic breaches pre-defined thresholds, both legitimate and illegitimate traffic is denied.

Lack of DNS protection

DNS amplification (a type of DNS reflection) has been used on Kerbs and on Dyn in the past. DNS service is a point of failure for Internet services. When you take down a DNS server, you take down all the services which are dependent upon it. Also, since DNS is UDP-based, it allows spoofing, has modest resources to generate attacks due to connectionless protocol, and allows for an attack amplification technique – 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.

ISP’s do not generally have a way to replace your name servers, thus leaving your DNS servers vulnerable.

Find out how Imperva DDoS protection brings the security you need to thwart DDoS attacks.