Have you ever experienced a DDoS attack? It’s not a fun experience. Alerts are going off all over the place, phone calls are coming in from users, management, executives, consultants and vendors; complaining, asking questions, demanding answers, offering assistance. If the attack is effective, services may be down or operating slowly, access to the site may be limited, routers, switches, load balancers, firewalls and other devices may be off-line. Even extremely prepared operators feel angst when an attack happens. They may have the best technology available, a contracted mitigation service, experience dealing with attacks, well documented processes, and have practiced for just this moment, but there will still be that bit of doubt creeping in that attackers have managed to find a hole in the defenses. Many attackers are smart, motivated, and have a growing set of tools at their disposal.
Imagine then how it would feel if you got attacked and have little to no protection in place and no expertise to deal with attacks? Panic and anger are usually the prevalent emotions around this time.
“The site is down,” say many users.
“Why didn’t we follow through on that DDoS project,” asks network operations?
“Nobody listened to my advice,” gripes the security engineer.
“Why weren’t we protected” the CIO asks the CSO.
“FIX IT NOW” yell the CEO.
This is followed by a mad rush to get any solution in place to solve the problem. Forget the long market investigations, the RFIs, the RFPs, the short lists, the evaluations, the contract discussions and finally the well thought out purchases. This is a quick and dirty “fix me now and just tell me how much I owe you.”
I’ve seen many iterations of the above scenario. In the last year, I’ve seen a huge expansion in attack campaigns targeting companies and industries that were previously untouched. Groups such as DD4BC (DDoS for Bitcoin) have made a business out of exploiting unprepared companies with DDoS attacks. Thankfully, Arbor has been in a position to help many of these companies. I’ve had the opportunity to interact with a number of folks going through the cycle of emotions that accompanies a DDoS event and most companies fall somewhere in the middle in the spectrum of preparedness. A relatively few companies are in the veteran category where they have all the right tools and experience. These are mostly companies that get targeted a lot. Others don’t have as much experience with attacks but still adhere to best current practices for protection investing in equipment, services and striving to train their organizations to be prepared.
Unfortunately, many organizations have less than optimum protection. In running Arbor’s cloud mitigation business for the last two years, I’ve has the opportunity to talk with a wide variety of customers and prospects that fall into this category. The fact that they are speaking with me shows that they are concerned about DDoS to some degree and want to take steps to prepare. However, there is a lot of differences in how companies approach preparedness and all too often, I’ve seen companies choose to “check the box” of DDoS protection rather than truly following through with protecting themselves. In some cases, companies will even invest considerable sums of money in protection but don’t go all the way towards realizing that protection.
The following are some of the traps I’ve seen companies fall into:
- Buying solutions based solely on price under the assumption that all solutions have the same level of effectiveness – this is definitely not the case.
- Buying all-in-one solutions that promise DDoS as a component to IPS, FW, load balancing, CDN or other network functions. These stateful devices provide minimal DDoS protection and are themselves vulnerable to DDoS.
- Buying a partial solution – cloud only or on-premise only.
- Buying a solution but not implementing it. This includes buying on-premise devices but not fully installing them or buying cloud services and not completing the cloud provisioning.
- Having the right technology solution in place but not preparing their people on how to use the technology.
All of these areas are concerning but the latter two points are of particular concern to me as it impacts a number of Arbor customers. Any company that has an Arbor DDoS solution in place has the ability to block all kinds of DDoS attacks. In the situations where they are not completely successful in mitigating attacks, it is generally because of issues with the deployment, configuration or operator preparedness. These are very solvable problems.
This begs the question: what is your level of preparedness for DDoS? Are you ready to deal with an attack? Are you comfortable that you have invested in the right solution? Have you implemented it fully? Is your staff prepared to handle attacks? Or, are you just checking the box?