Reevaluating DDoS Protection in a Changing Threat Landscape

DDoS attacks

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Randy D’Souza of Neustar Security Services is our guide through DDoS attacks and mitigation strategies in an everchanging threat landscape.

SR Premium ContentDistributed denial-of-service (DDoS) attacks are gaining in frequency, intensity, and duration, and attackers have also become more sophisticated, employing multiple vectors and branching out into ransom DDoS attacks, SSL-based attacks, carpet bomb attacks, and application layer attacks, as well as using DDoS attacks in combination with other, more focused activities.

The attackers’ targets are changing as well. The COVID-19 pandemic accelerated many businesses’ digital transformation processes, resulting in a dramatic increase in the number of both customer-facing and internal digital assets and more decentralized networks. The speed of the shift has made inadvertent security lapses more likely, while IT staffs continue to be stretched thin as workloads increase and the cybersecurity skills shortage persists.

In light of the recent increase in both threats and vulnerabilities, organizations should reevaluate their approach to DDoS protection, assessing both their overall mitigation strategy and their mitigation partner’s capabilities.

DDoS Attacks in a Changing Threat Landscape


Mitigation Strategy

Considering the increasing size and intensity of DDoS attacks, no enterprise with extensive digital assets or a significant web presence can rely exclusively on an on-premises solution. A comprehensive strategy must include a relationship with a cloud-based service provider that can mitigate attacks, either instead of or in addition to an on-prem solution. Realistically, then, there are three primary mitigation strategy options:

  • Always-on protection. With always-on protection, all network traffic is routed through the service provider’s platform, and the provider automatically manages the response and mitigation in the event of a DDoS attack. This strategy provides the most comprehensive and reliable DDoS protection with the fastest possible mitigation, with no equipment or capital expenses and the least demands on IT staff. It is more expensive than on-demand protection, but it is the best choice for organizations that require secure access to and constant availability of extensive network assets.
  • On-demand protection. With an on-demand strategy, the company partners with a cloud-based provider that is on call to mitigate attacks. The organization’s IT team works with the provider to develop a procedure for rerouting traffic to the mitigation platform, either manually or based on preset traffic thresholds. This is the easiest and quickest solution to implement, as well as the least expensive. However, some risk is involved in rerouting traffic in the event of a DDoS attack, and it does require the active involvement of the IT team. This approach is a good choice for organizations that have less extensive online assets or for those for whom constant network access and availability is less critical.
  • Hybrid on-prem/on-demand protection. With a hybrid approach, the organization uses on-prem mitigation equipment for smaller attacks and brings in an on-demand cloud provider for larger attacks. Given the extensive capital expenditures required to purchase and maintain the on-prem appliances, along with the significant IT resources needed to monitor and respond to attacks, this solution generally makes sense only for large enterprises with legacy installations of on-prem mitigation equipment.

Mitigation Partner Capabilities

After you’ve chosen a mitigation strategy, you’re ready to evaluate potential mitigation partners. In assessing the capabilities of a cloud-based solution provider, focus on the following capabilities:

  • Mitigation capacity and scale. A mitigation platform must have sufficient capacity to handle multiple large and intense DDoS attacks simultaneously, so it must be substantially overbuilt. And it’s not just the overall scrubbing capacity that’s important — you’ll want to know the platform’s ingestion capacity (the volume of traffic it can take in) as well.
  • Global distribution of mitigation sites. Consider how the locations of the provider’s mitigation sites relate to the locations of your assets. Closer geographic proximity means reduced latency and quicker mitigation.
  • Tools and automation. The provider should use best-in-breed mitigation appliances that incorporate automated countermeasures as part of their design — for example, the ability to detect signals that indicate a specific attack or adjustable alerts triggered by anomalies observed in network traffic or the wider network environment. The orchestration platform’s automation is also critical, as smart, automated functions can significantly increase the efficiency and effectiveness of mitigation efforts.
  • Flexibility. Make sure the provider is willing and able to adapt its tools and services to meet your specific needs — not only in terms of configuring the DDoS protection to cover all your network assets and appropriately tuning the thresholds in automated traffic monitoring applications, but also augmenting automated mitigation with intervention by experienced security professionals when necessary.
  • Experience and commitment. A provider with a long track record of mitigating DDoS attacks is likelier to have the skills and expertise to mitigate large, multiphase attacks or innovative attacks using new vectors. In contrast, a commitment to absolute reliability in mitigating current and future attacks will ensure that the provider regularly invests in equipment upgrades and incorporates advances in automation into the orchestration platform.
  • Service. Professional expertise and availability are critical in the initial configuration phase, but also afterward, even with an always-on solution, as complex attacks often require expert intervention. Make sure the provider has DDoS specialists on duty 24/7 to coordinate the response in the event that an attack defeats automation.

As the DDoS threat landscape changes, new types of attacks and new network vulnerabilities are increasing organizations’ risk that a successful attack will cut off access to customers and partners, freeze employees out of critical applications and assets, and expose the business to exorbitant ransom demands. But by consciously choosing a defense strategy that meets your enterprise’s needs and conducting a thoughtful review of mitigation partners and the tools and technologies they are able to deploy, you can create an effective defense in depth that will prepare your business to weather any DDoS attack.

Randy D'Souza
Follow Randy
Latest posts by Randy D'Souza (see all)