A Decade of DDoS Education: What’s Changed and What’s Stayed the Same

By Marco Gioanola

While Distributed Denial of Service (DDoS) attacks have been around for over 20 years, they have only become well-known to the majority of enterprises over the past ten years or so. Ten years ago, many enterprise IT teams only had a vague idea of what a DDoS attack was because they noticed the common symptoms “our website is down,” “the firewall crashed,” “nothing works” etc.

The average IT team in 2006 would not have been aware of the techniques DDoS attacks typically used like spoofed addresses or POST floods. In order to provide a true understanding of what DDoS attacks were and how enterprises could defend against them, some basic education had to happen. In 2006 that meant putting it in terms that everyone understood, “what would happen to our meeting if we tried fitting 100 people in this room?” Eventually as education continued and attacks grew in notoriety, the basics of DDoS became common knowledge in the industry.

But DDoS in its nature is an evolving threat and as application-layer attacks became predominant more education was needed. Application-layer attacks are not about blocking access to the door of the meeting room anymore, now we had to explain the stealthy nature of low-volume, targeted attacks. “So you’ve let two of us in this meeting room because we appear to be legitimate salespeople, but now we’re going to unplug the projector so you can’t run your meeting properly.”

Now ten years later, the majority of enterprise IT teams have a solid understanding of the threat DDoS poses and the basics of defense but even today we still come across people who believe they can protect themselves against DDoS attacks by simply increasing their bandwidth or relying on their firewalls or unified threat management appliances. With the volume of attacks today that is definitely not enough to ensure service and network availability in the face of sustained DDoS attacks.

The majority of DDoS education today has shifted from learning about the attack methods themselves to the correct defense techniques and processes. Even with the significant improvements in DDoS education and awareness, a lot of people still have unrealistic expectations that once they install a DDoS mitigation solution their job is done. There is no silver bullet against DDoS attacks. There is no magic box, there is no “set it and forget it” solution. You still have to educate the user.

Part of this comes from the misconception that DDoS attacks are launched by untalented kids. While that is true in some cases, many enterprise IT teams are surprised to find themselves often fighting against talented opponents who are often smarter than them, have more time than them and whose effort to start attacks is minuscule compared to their effort in blocking them.

Often times, when faced with these advanced adversaries, IT teams are quickly overwhelmed. Even though they have some mitigation tools in place, they may not have the right tools. They may not know who to call or recognize the type of attack targeting their systems. In short, they don’t have a technology problem, they have a people and process problem.

Think of DDoS defense like a NASCAR race, you have a super-powerful car (your DDoS mitigation solution or service), but if you don’t know how to drive over 70 mph, you’re going to crash and hurt yourself very quickly. And let’s not even mention what happens if you decided to install that cheap transmission because it was half-off. Enterprise IT teams need to focus on building the best car they can, hiring a skilled team that can keep the car in its best possible condition and then hiring the best driver they can afford to drive the car when the time comes.

Even if you have the best car in the world, an unskilled maintenance team or driver will lead to a third or fourth place finish at the end of the season. But if you want to win the championship, you need the best car, mechanics and driver you can afford.

Moving on from the NASCAR analogy, this means:

  • Understanding the technology that best fits your needs: on-premise, always-on, protection or an on-demand service?
  • Customizing that technology to fit your assets. Is it just your website or the services you provide from it? What about defending your corporate network?
  • Identifying and training a team that is capable of understanding all of the procedures in all possible scenarios that surround a DDoS attack.
  • Continue evolving your mitigation strategy. Keep your technology state-of-the-art and provide continuous training for your team.

If you follow these steps you’ll end up in the winner’s circle after mitigating another DDoS attack and not in pit row trying to figure out what went wrong.

Marco Gioanola is Senior CE, Cloud Services Architect at Arbor Networks.

Leave a Reply

WWPI – Covering the best in IT since 1980