DDoS Mitigation: The Definitive Buyer’s Guide

Network Capacity

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

Network capacity remains a great way of benchmarking a DDoS mitigation service. It reflects the overall scalability available to you during an attack

For example, a 1 Tbps (terabits per second) network can theoretically block up to the same volume of attack traffic, minus the bandwidth required to maintain its regular operations.

Most cloud-based mitigation services offer multi-Tbps network capacity—well beyond what any individual customer might ever require. On-premise DDoS mitigation appliances, on the other hand, are capped by default—both by the size of an organization’s network pipe and the internal hardware capacity.

Key features:

• Available bandwidth—measured in Gbps or Tbps available to protect against an attack. An attack exceeding the bandwidth of your DDoS provider will hit your servers.
• Deployment model—cloud-based or on-premise solution. Cloud-based solutions are elastically scalable and can defend against high-volume DDoS attacks.

Processing Capacity

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

In addition to throughput capacity, consideration should also be given to the processing capabilities of your mitigation solution. They’re represented by forwarding rates, measured in Mpps (millions of packets per second).

Today it’s not uncommon for attacks to peak above 50 Mpps, with some reaching as high as 200—300 Mpps and more. An assault exceeding your mitigation provider’s processing power will topple its defenses, which is why you should inquire about such a limitation upfront.

Key features:

• Forwarding rate—measured in Mpps. An attack exceeding the forwarding rate of your DDoS provider will hit your servers.
• Forwarding technique—DNS or BGP routing. DNS routing is always-on, and can protect against both application-layer and network-layer attacks. BGP routing can protect against virtually any attack, and can either be always-on or activate on-demand.

Latency

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

It is critical to understand that at some point, legitimate traffic to your website or application will pass through the DDoS provider’s network:

• If DDoS services are on demand, traffic switches over to the DDoS provider when an attack occurs
• If DDoS services are always on (which has significant advantages), all your traffic will pass through the provider’s servers

The connection between your data center and your DDoS provider must be very performant, or it can result in high latency for your users. You should evaluate:

• Which geographical points of presence (PoP) does the DDoS provider offer and how close are they to your data center(s)
• Whether your DDoS provider offers PoPs where your main customer base is located
• Whether the DDoS provider offers the most advanced routing techniques to ensure optimal connectivity with your data center and your users

The first point is the most important – consider, for example, a company based in India, working with a DDoS service that only has PoPs in Europe. Every user request will have to travel to the European PoP, from there to the data center in India, back to the European data center, and back to the user.

This will happen even if the user is actually based in Europe. If the user, like the company in our example, is based in India or another unsupported location, latency is multiplied.

Two options:

• Always on – always goes to DDoS mitigation provider
• On demand – when there is an attack

Time to Mitigation

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

Once an attack has been detected, time to mitigation is critical. Most assaults can take down a target in a matter of minutes and the recovery process can take hours. The negative impact of such downtime can potentially be felt by your organization for weeks and months ahead.

By providing preemptive detection, always-on solutions have a distinct advantage here. They offer near-instant mitigation—often protecting organizations from the first salvo during any assault. Look for a solution that can respond to an attack in seconds.

But not all always-on solutions offer such a response level. This is why inquiring about time to mitigation should be on your checklist when evaluating a DDoS protection provider, in addition to testing it during a service trial.

Network Layer Mitigation

• Protecting Websites
• Protecting Networks

Network layer DDoS attacks are volumetric in nature – they rely on very large scale traffic that can cause bigger damage to your infrastructure. There are several methods DDoS providers use to mitigate network attacks. All these methods have the goal of separating legitimate traffic from malicious traffic, getting rid of malicious packets while allowing legitimate packets to reach their destination.

Check which methods are supported by your DDoS mitigation provider:

• Null routing—null routing (a.k.a., blackholing) directs all traffic to a non-existent IP address. Its downside is that it’s likely to cause a high ratio of false positives—the disposal of malicious and legitimate visitors alike.
• Sinkholing—this method diverts malicious traffic away from its target, usually using a list of known malicious IP addresses to identify DDoS traffic. While not as indiscriminate as null routing, sinkholing is still prone to false positives since botnet IPs can be also used by legitimate users. Moreover, sinkholing is ineffective against IP spoofing — a common feature in network layer attacks.
• Scrubbing—an improvement on arbitrary sinkholing, scrubbing routes all ingress traffic through a security service. Malicious network packets are identified based on their header content, size, type, point of origin, etc. The challenge is to perform scrubbing at an inline rate without causing lag or otherwise impacting legitimate users.
• IP masking—this method prevents direct-to-IP DDoS attacks by hiding the IP of your origin server.

Application Layer Mitigation

• Protecting Websites
• Protecting Applications
• Protecting APIs

Application layer (OSI layer 7) DDoS attacks are much stealthier than their network layer counterparts, typically mimicking legitimate user traffic to evade security measures. To stop them, your solution should have the ability to profile incoming HTTP/S traffic, distinguishing between DDoS bots and legitimate visitors.

Key features:

• Multiple inspection methods to identify legitimate traffic—the service should check IP and Autonomous System Number (ASN), provide cross-inspection of HTTP/S header content, and inspect behavioral patterns, to see if each session is a legitimate user session or part of a DDoS attack.
• Multiple challenges—many security services use challenges to test if traffic is malicious or legitimate, such as testing each request for its ability to parse JavaScript and hold cookies. Ensure the service doesn’t overuse CAPTCHAs, “delay pages” and other filtering methods that can annoy legitimate visitors and hurt website engagement.

Protection of Secondary Assets

• Protecting Applications
• Protecting APIs

Your network infrastructure likely comprises a number of servers and other IT assets. These may include web servers, DNS servers, email servers, FTP servers and backoffice CRM or ERP platforms. In a DDoS attack scenario, they might also be targeted by a perpetrator, causing downtime or otherwise paralyzing your business.

Assess your entire network infrastructure risk and determine which components need to be protected. At a minimum, bear in mind that your DNS service is one of the most common attack targets and your single point of failure.

Key features:

• DNS name server protection—protecting against DNS flood and other DDoS techniques aimed at crashing or disrupting DNS name servers.
• Application protection—protection of common applications like email, FTP, CRM, ERP.

Protection of Individual IPs

• Protecting Websites
• Protecting Applications
• Protecting APIs

Traditionally, cloud-based DDoS protection services were only able to protect entire IP ranges. It was difficult to extend this protection to specific cloud environments and assets, down to the level of individual IP addresses.

Advanced DDoS services offer protection for individual IPs, allowing you to register a public IP or domain name, add the DDoS service to your DNS configuration, and enable immediate protection of that specific IP.

Pricing and SLA

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

Pricing for DDoS mitigation services range from pay-as-you-go to flat monthly fees:

• Pure “pay as you go” pricing – this can be attractive because it costs nothing if you aren’t attacked. But if an attack happens, you can incur major expenses for the cloud resources used to mitigate the attack. You may need to request a refund for those resources, and it’s important to understand in advance under which circumstances a refund will be provided.
• Pay as you go based on attack volume – pricing based on  cumulative attack bandwidth (e.g., 50 Gbps/month) or cumulative number of hours under attack (e.g., 12 hours/month). Since a DDoS assault can last several hours or days (and sometimes weeks), such costs can quickly get out of hand.
• Service-based pricing – some enterprise offerings include a base price for DDoS protection, with special pricing for services like implementation, provisioning, etc. While these services can be valuable for your organization, be aware that they are part of the cost of your DDoS mitigation solution, and should be factored into your Total Cost of Ownership.
• Simple flat monthly fee – this is the preferred option for long-term agreements. Make sure the flat fee includes full coverage for all relevant attacks.

Other factors to consider when comparing prices:

• Different providers have different capacities in different scrubbing centers, and the net capacity across all the scrubbing centers may not be a good reflection of the scrubbing center attack mitigation capacity  in the geography of your interest (where your data center is located).
• The mitigation provider’s service level agreement (SLA) is another important consideration—sometimes more so than the price.

Key pricing features:

• Uptime guarantee—five nines (99.999%) represents the best case. Anything below three nines (99.9%) is unacceptable.
• Protection levels—as described herein, the provider’s SLA should define attack types, size and duration that it covers.
• Support service level—the SLA should spell out the provider’s response times for support issues. These are usually defined based on problem severity levels.

Support

• Protecting Websites
• Protecting Applications
• Protecting APIs
• Protecting Networks

Even if your DDoS service is fully automated, which is preferred because it allows fast response to an attack, make sure your provider offers professional support services. When an attack happens, you may need to talk to your provider to understand what is happening and resolve critical issues affecting your legitimate traffic.

Ensure your DDoS mitigation service operates a Security Operations Center (SOC) with security specialists available on call 24x7x365 for emergency assistance.