When the Enemy Is DDoS, Holistic Protection Is a Must

An infinite variety of attack methods require customizable solutions.

By Sean Newman, VP/Product Management, Corero

Sun Tzu was an exceptional general, strategist, and philosopher, and certainly one of the most prolific and best-known military figures in history. When he stated that “the greatest victory is that which requires no battle,” it’s safe to assume that he wasn’t anticipating that his words would be relevant many centuries into the future, let alone applied to something as abstract as cybersecurity. But some 2,000 years later, they hold just as true in cyberspace as on the battlefield.

While the battles he led centuries ago were complex in their own right, they in no way reached the same orders of magnitude that face today’s enterprises when attempting to secure their organizations.

Today, most, if not all, companies do at least a portion of their business online. For many, this means employees rely on cloud-delivered applications to go about their daily tasks, and the companies themselves rely on the internet for their bottom line. It goes without saying that these organizations must be available to their customers 24/7—even brief outages can result in lost revenue and productivity and do untold damage to a company’s reputation. Gartner estimates that downtime can cost up to $5,600 per minute; meanwhile other estimates suggest that even small businesses may lose over $100,000 per hour. Unfortunately, those daunting figures do more than emphasize the importance of the internet in modern commerce—they put companies squarely in the crosshairs of malicious actors looking to launch distributed denial of service (DDoS) attacks.

Modern DDoS attacks pose a triple threat.

Nearly 30 years after the first known DDoS attack, whereby a perpetrator floods their victim with traffic from across the internet, it remains a favorite attack type. From the standpoint of a cybercriminal, they have a lot to offer: they can be launched from anywhere in the world; they can be automated and multi-vector; and increasingly, they can be crafted to behave similarly to “normal” internet traffic, thereby evading human observation and manual, or legacy, mitigation techniques. Best of all, for the attacker perhaps, is the fact that many legacy DDoS mitigation solutions can also take more than ten minutes before their defenses kick in. This has led attackers to engineer shorter, sub-saturating attacks that are capable of inflicting as much, if not more damage, than their larger, longer-running volumetric counterparts.

Disconcertingly, malicious attackers have taken a page out of modern warfare and, increasingly, are launching carpet-bomb (also known as “spread spectrum”) DDoS attacks, which distribute themselves across a large number of targets rather than a more easily identifiable single target.

This carpet-bomb technique poses a triple threat to defenders in that it’s able to evade detection by flying under the radar of legacy, per-IP analysis techniques and thresholds. This attack technique also invalidates the use of black-hole or null-route mitigation, making it even more difficult for companies to avoid collateral damage. And because they more easily overwhelm scrubbing lane capacity (where traffic is redirected to be cleansed of malicious DDoS packets), cloud service budgets are exceeded and reporting systems are overloaded.

Counter the critics.

IT security leaders have the unenviable responsibility of selecting exactly the right solutions to defend against a host of ever-evolving threats, and when (not if) an attack occurs, everyone’s an armchair critic. Luckily, there are several basic tenets to follow when selecting the right DDoS defense solution.

Less bad isn’t good enough. The best solutions are those that do more than mitigate attacks—they prevent them entirely. Unfortunately, all too many DDoS defense solutions don’t go the extra mile to stave off attacks. Instead, they only make them “less bad” by mitigating them, meaning that organizations must still deal with downtime and lost productivity and/or revenue while they recover.

Semantics matter. There is a big difference between “always on” and “on demand.” The former means that your solution is always there, protecting your systems and devices against intrusions. On-demand, however, might as well translate to “already in trouble.” On-demand solutions monitor, but simply can’t react fast enough to prevent some amount of downtime. It can be minutes or tens of minutes before protection kicks in, and in that time most, if not all, of the damage is done. Rubbing salt in the wound, recovering downed servers and applications almost always takes significantly longer than the time it took a DDoS attack to fell them in the first place.

Do you feel lucky? IT leaders shouldn’t even be asking themselves if the odds are ever in their favor. They need confidence in the fact that their solution automatically protects against known and zero-day attacks. These same solutions should also be capable of effectively defending against evasive techniques such as multi-vector and carpet-bombing. Moreover, a solution should be able to shorten the detection-to-protection timeline to mere seconds so that downtime is prevented.

Bespoke is for more than suits. A good solution is one that can be tailored to fit a company’s needs. Some of the best solutions are those that allow IT leaders to select the defense and services they currently need, with room to grow as their needs evolve. Good DDoS defense solutions will offer flexible deployment with hardware, virtual software, and integrated options that align with company architecture. A modular platform that adapts to the ever-changing DDoS landscape can help companies maintain business continuity, while simultaneously protecting against future threats. Automation is also critical as it frees IT teams to focus on high-value initiatives and projects that grow the organization. Optional managed service offerings, meanwhile, are more than nice-to-haves as they deliver valuable domain expertise, without burdening existing staff and resources.

Count the cost. When choosing a DDoS defense solution, cheaper isn’t necessarily better. Ask yourself what the true cost of an outage would be, accounting for both damage to your bottom line and your reputation and choose accordingly.

Ponder and deliberate.

Regardless of size or sector, companies need to be prepared for both high-volume and sub-saturating DDoS attacks, looking for defense that extends beyond brute force, slow-to-react mitigation to full protection that eliminates any impact on their or their customers’ businesses. Investing in an advanced solution that is capable not only of viewing the IP address space holistically to detect and report on malicious behavior, but that delivers full protection in seconds rather than minutes is imperative.

There are many solutions that purport to address the threat from DDoS attacks. When it comes to selecting the one that’s right for your company, take a page from the Art of War: Ponder and deliberate before you make a move.

About the Author

Sean Newman is the Vice President of Product Management for Corero Network Security, where he is responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.

Sean can be reached online [email protected] and at our company website http://www.corero.com/