DDoS Attacks are ‘As Certain as Death and Taxes’

Along with email spam, phishing, malware and (in some people’s opinions) cat videos, DDoS attacks remain a persistent blight on the Internet. The Verizon 2018 Data Breach Investigations Report notes that “the degree of certainty that they will occur is almost in the same class as death and taxes”.

Financially motivated criminal organizations and nation-state actors bent on cyber warfare have aligned with malicious hackers to pool their collective knowledge and experience for generating increasingly complex, multi-vector, attacks that are more difficult to detect and mitigate.

The vast majority of DDoS attacks are either volumetric in nature – consuming a high percentage of network bandwidth – or focused on exhausting protocol-processing resources in the host systems under attack. Both types are highly effective in knocking out Internet applications and services, sometimes for hours and with severe consequences for service providers, businesses and consumers.

An Ever-Expanding Attack Surface

The vast complex of public networks spanning the globe is constantly growing and evolving, reaching into every corner of society. New devices, hosts and networks come online every hour of the day, offering bad actors a constantly growing number of targets and potentially vulnerable endpoints that can be exploited to launch attacks. Cyber criminals continuously crawl the Internet looking for new devices, which they can discover and hack within minutes of going online.

Internet trends are pushing the DDoS battle onto two separate fronts:

  1. An increasing number of rapidly growing, high-capacity, access networks and edge data centers supporting a growing number of next-generation IoT use cases.
  2. Massive, hyperscale data centers for delivering multicloud applications and services.

A Never-Ending Battle

The Internet is so vast, complex and constantly changing that there is no known method for eradicating the sources of DDoS attacks.

DDoS defense is a never-ending series of battles that swing back and forth with the black hats and white hats alternately enjoying the advantage. Cyber criminals discover and exploit vulnerable hosts to launch attacks. Defenders monitor network activity to compile a catalog of attack profiles that are used to take the necessary mitigation actions. New attack vectors are added to the catalog and any associated host vulnerabilities are circulated within the security community so that network operators can take preventive measures.

While massive-scale, high-intensity, DDoS attacks measured in hundreds of gigabits get the headlines in the press, the war is waged in an endless series of smaller-scale skirmishes. High-intensity attacks may rise for a short period of time but then cyber criminals are forced to regroup as network operators mount defenses to reconfigure and protect vulnerable hosts, and so attack intensity subsides. Yet the cycle of DDoS attack and defense continues on, with no end in sight.

Industry Impact from DDoS

Looking at the practicalities of our digital lives today we can see how a sustained DDoS attack could reduce individual productivity, loss of revenue, and more broadly impact our economy. Every second counts to digital-first businesses. One in every two people you see around you is connected to the internet and one in three people shop online. If their experience is disrupted, then business productivity – as well as current and future revenues – can all be instantaneously impacted. Below table provides a guide to the expected revenue impact of an extended DDoS incident, whether you are a leader (1% market share) or a breakthrough provider (0.1% market share).

Time to MitigateDefinitionEffective TTMWhyImpact Cost (1% market share)Impact Cost (0.1% market share)
Existing ClientNew ClientExisting ClientNew Client
Real-timeThat time-to-mitigation being short enough that there is no perceivable ipact on the target as a result of a DDoS attack.ImmediateNo customer impact – Inline real-time automation without scrubbing centresNoneNoneNoneNone
>0 secondsThe deplyment of known attack vectors that are immediately mitigate and do not cause an incident to be analysedImmediateNo customer impact – All mitigated attacks are known and pre0built into policiesN/AN/AN/AN/A
>3 secondsDefined service level agreement using automated mitigation, assuming mixture of known and unknown attacks3+ secondsIncludes time for redirect to scrubbing centers, analysis and mitigation $8 million repeat sales$49 million opportunity to convert>$8k repeat sales lost$2.17 million opportunity to convert
>5 secondsExceptional SLA, invoked manually when a website is known to be occurring cyber incidents60+ secondsRequires admin to manually change policies in security product$16 million repeat sales$49 million opportunity to convert>$16k repeat sales lost$2.17 million opportunity to convert
>10 secondsDefined service level agreement using automated mitigation, assuming mixture of known and unknown attacks10+ secondsIncludes time for redirect to scrubbing centers, analysis and mitigation $36 million repeat sales$49 million opportunity to convert>$36k repeat sales lost$2.17 million opportunity to convert
>18 secondsDefined service level agreement using automated mitigation, assuming mixture of known and unknown attacks18+ secondsIncludes time for redirect to scrubbing centers, analysis and mitigation $68 million repeat sales$49 million opportunity to convert>$68k repeat sales lost$2.17 million opportunity to convert
A few secondsGeneric statement assuming no defined service level agreement, automation and a mixture of known and unknown attacks3-60+ secondsNot a tanglible SLA – Includes time for redirect to scrubbing centers, analysis and mitigation >$240 million repeat sales$49 million opportunity to convert~$240k+ repeat sales lost$2.17 million opportunity to convert

* Source: SynergySix/Omnisperience

Why We Cannot Tolerate Anything Less Than ‘Real-Time’ And ‘Always-On’

We may not be quite yet zipping around with rockets on our backs, but life in 2020s is still remarkably different than it was even a decade ago. Of course, much of that is due to technology and the internet that touches and enables almost every corner of our lives. Technology has also made many of us much less patient in more ways than one. With the world at our fingertips, we want to know answers right away. Why wait around for a conclusion when we can find it within a few taps and a swipe? With decreased exposure to waiting for results we may be more inclined than ever to complain, look for alternatives, or change opinions in an instant.

5GN Real-Time DDoS Defense

5GN leverages several technology advances to enable Network-based DDoS protection as an add-on to its IP Transit product. 5GN partners offer software innovation with advances in Intel x86 multicore CPU technology, DPDK packet processing acceleration and high-performance NICs to provide breakthrough price/performance for DDoS defense. The SmartWall TDS family of products provide linerate protection at the network edge at connection speeds up to 100 Gbps.

SmartWall TDS appliances perform line-rate DPI to generate security metadata from traffic flows. The internal rulesengine examines this metadata to flag offending packet flows in real-time and instantly block attack packets. At the same time, the security metadata is streamed to the SecureWatch Analytics platform, where further analysis involving correlation with other performance metrics and event data enables rapid identification of new attack vectors.

SecureWatch Analytics also formulates new mitigation rules for these vectors that are automatically distributed out to each SmartWall TDS appliance. SecureWatch Analytics is based on Splunk’s Big Data analytics engine and is a critical component of the frontline defense against DDoS attacks. SecureWatch Analytics features a web portal providing easy-to-read dashboards for monitoring routine operations and incident response. Operators can also perform complex queries to conduct sophisticated security forensic analysis. Our DDoS defense solution has proven more than 99% effective in automatically detecting and mitigating attacks within seconds. This degree of effectiveness, speed and accuracy would not be possible without the innovation and incorporation of a Big Data analytics engine that can perform rapid analysis of high velocity security metadata. The SmartWall solution is fully automatic, detecting and mitigating attacks without the intervention of security analysts or network operators. Customers are usually unaware they have been under attack, until they check the SecureWatch Analytics dashboard for alerts.

Advantages of 5GN Network-based DDoS Protection

  • Leveraging global partnerships to provide best-in-class solution
  • Silicon-Based Packet Data Export and Flow Telemetry
  • Silicon-Based Packet Filtering
  • Sampled DPI for DDoS Detection
  • Next-Generation Networking Technologies
  • Real-Time Big Data Analytics
  • Real-Time, Automated DDoS Defense
  • Access, Backbone and Multi-Cloud Protection

Get in Touch