Organizations know they must have a DDoS mitigation strategy as part of their disaster recovery and online contingency plans. But some have a fundamental misunderstanding of what that means.
When evaluating DDoS mitigation service providers, the following capabilities are imperative to effectively address the overall threat of attacks and fundamentally lessen the damage they can cause. Unfortunately, not all vendors offer the same level of protection, and many have different approaches to what they call mitigation. The list below can help organizations measure the differentiation that exists among various DDoS mitigation service providers.
Always-on, immediate detection
No organization can mitigate the effects of a DDoS attack without first detecting that one is taking place. Most DDoS attacks start small and ramp up over a period of time, so early detection is crucial.
Ensure that your DDoS mitigation service has the ability to offer always-on, immediate DDoS detection. It should be able to detect an attack against a single IP address within seconds, before anyone else notices any effects, by continuously monitoring network traffic and edge routers.
Preconfigured traffic diversion
The next mitigation technique involves diverting incoming traffic targeting an asset to a cloud scrubbing center. Diverting traffic requires changes to the underlying BGP routes that run the internet. Organizations can be severely hurt by an attack if there are delays in the BGP route update announcements needed to begin traffic diversion and subsequent scrubbing.
Ensure prospective DDoS mitigation services have the ability to preconfigure an organization’s routes and netblocks into their detection and mitigation technologies — before an attack begins, normally during the service onboarding process. Doing so ensures that traffic diversion can take place in seconds once an attack is detected. Vendors that rely heavily on automation to divert traffic are often the quickest to engage cloud scrubbing.
To reduce and nearly eliminate the negative effects of an attack in progress, a DDoS mitigation service provider should build GRE tunnels between its scrubbing centers and the customer’s border routers. GRE tunnels are needed to reinject legitimate traffic back to the protected organization once the DDoS attack has been scrubbed from the traffic streams.
Ensure prospective vendors have a proven process to build, test, and verify that GRE tunnels are operational before an attack begins. Reinjection of legitimate traffic is crucial to keep assets online, even when an attack is taking place. Waiting to build GRE tunnels until an attack begins will severely increase the amount of time to mitigation and will likely result in an extended outage.
When diverting traffic to a DDoS scrubbing center, only a portion will actually be DDoS traffic. Some legitimate traffic will also be diverted, and this traffic must not be negatively affected. Applying one broad ruleset to all diverted traffic is not always the best approach, because it will likely result in latency and increase the probability of inducing false positives.
Ensure prospective DDoS mitigation service providers have the ability to define and apply challenges, filters, and rules to only the IP address that is under attack. It is not necessary or recommended to scrub legitimate traffic destined to IP addresses not under attack. Vendors should have the ability to apply their scrubbing techniques to a single IP address instead of the entire diverted netblock and preconfigure rulesets for every IP address that may come under attack.
The onboarding process is critical to ensuring that all mitigation techniques and mechanisms are in place, long before an attack actually happens. One misstep during the process can completely defeat the overall effort, resulting in an unwanted outage. No two networks are the same, and targeted assets can be attacked in different ways, so customization of mitigation techniques is imperative.
Ensure prospective DDoS mitigation service providers have the ability to highly customize their onboarding process based on an organization’s business model, exposed web assets, peak operating hours, legitimate traffic volumes, specific application requirements, expected targets, and suspected attack vectors.
The above techniques may seem like a given, but they are the most important DDoS mitigation service differentiators.