By John Whetstone
Distributed denial-of-service (DDoS) attacks are nothing new, yet these attacks remain one of the most common causes of high-profile outages and interruptions of client-facing services. DDoS attacks are often linked to acts of hacktivism and are perpetrated by organized groups such as Anonymous and Lizard Squad (or a kid with access to a Low Orbit Ion Cannon). Targeted DDoS attacks, such as the attacks aimed at Microsoft and Sony, have been used to make statements and cause highly visible, far-reaching business disruptions.
To mitigate the impact of these attacks, enterprises deploy DDoS protection technology. Products can be deployed on premises, as cloud-delivered services, or as hybrid configurations.
Currently, 58.5% of US enterprises deploy DDoS prevention technology. Of these, 25.4% deploy the technology on premises, 28.9% utilize cloud-based services, and 4.2% deploy a hybrid of these two options. The overall deployment rate of 58.5% isn’t concerning, but the extremely low number of hybrid deployments is. Here’s why:
Traditional, on-premises deployments require appliances to be installed inline, outside the network boundary. These appliances can immediately mitigate attacks such as UDP/ICMP network floods, SSL-based attacks, HTTP GET/POST attacks, and “low-and-slow” attacks; however, administrators must tune appliances to better identify anomalous application-layer traffic. The downside here is that enterprises deploying DDoS protection technology solely on premises remain susceptible to volumetric attacks.
On-demand cloud-based DDoS prevention services protect enterprises from volumetric attacks by scrubbing traffic and offering an automatic alternate “clean pipe” during an attack. However, while these services can protect against DDoS attacks that saturate Internet pipes, they cannot protect against application-layer attacks such as HTTP GET/POST attacks, SSL-based attacks, and “low-and-slow” attacks.
Always-on cloud-based DDoS prevention services on the other hand may be able to protect enterprises from all forms of DDoS attacks. However, these services require that enterprises redirect all traffic through the cloud service provider's infrastructure, which could add latency. For this reason, enterprises that process large volumes of time-sensitive traffic should carefully evaluate always-on services.
An organization with a significant online presence should consider a combination of the two deployment types or deploy a best-of-breed, purpose-built hybrid DDoS protection suite. The 95.8% of enterprises that rely solely on either of these options remain at risk from modern DDoS attacks.
NSS Labs has released a series of Intelligence Briefs that focus on security controls in the US enterprise, one of which is focused on DDoS prevention products. The series will report on security product usage as reported by 510 information security professionals representing 50 US industries. This paper will be available to subscribers to our research library.
This blog was updated on October 31, 2017 to provide clarity regarding on-demand cloud based DDoS prevention services versus always-on cloud based DDoS prevention services.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.