-
IDC 1597
I D C A N A L Y S T C O N N E C T I O N
Christina Richmond
Program Director, Security Services
Dist r ibuted Denia l o f Service: What to Look for in a
Provider
November 2013
In 2012, high-profile attacks on the world's leading financial
firms thrust denial-of-service (DoS) and distributed
denial-of-service (DDoS) attacks back into the headlines. According
to research from IDC, the worldwide market for DDoS prevention
solutions will grow from $377 million in 2012 to $870 million in
2017, representing a compound annual growth rate (CAGR) of 18.2%
over the five-year period. Volumetric attacks will continue to be
the predominant attack type for the foreseeable future because of
the relative ease with which botnets can send a bandwidth or packet
flood in excess of what most enterprise infrastructures can handle.
However, this could change quickly. IDC expects to see an increase
in the more advanced hybrid attacks that include application layer
and encrypted traffic. As a result, DDoS attacks are now a
mainstream security problem, and organizations must have a proven
mitigation plan in place and a service provider they trust when an
attack occurs.
Christina Richmond, program director of IDC's Security Services
practice, answers commonly asked
questions about DDoS attacks and mitigation providers. This
paper is sponsored by Prolexic
Technologies.
Q. How long do DDoS events typically last, and what are the
business impacts?
A. DDoS attacks occur on multiple layers, including application,
network, and transport.
Attack campaigns can last from just a few hours to weeks.
The immediate and obvious impact of a DDoS attack is Web site
unavailability. Visitors may
be unable to reach their intended destination. And often, when
they do reach their
destination, page load times can be as high as 50 seconds,
essentially making the Web site
unusable. Such an event can negatively impact sales revenue (if
the site supports
ecommerce transactions), brand image, stock price, customer
satisfaction, and even Google
search rankings. These attacks can cripple an entire business,
not just the IT infrastructure.
In some cases, DDoS attacks are used as a diversionary tactic
where the impact is less
obvious but equally damaging. While the IT and security staff is
busy fighting the DDoS
attack, hackers break into IT systems and attempt to steal
financial information, credit card
numbers, passwords, intellectual property, and money.
Q. What are the key attributes to look for in a DDoS mitigation
provider?
A. It's important to make sure your DDoS provider has the
capacity to handle a large-scale
attack. Publicly available statistics cite peak attack rates
that are quite large. The ability to
block large attacks is critical to ensuring Web site
availability. In addition to scale, a DDoS
provider should have significant experience and skill in
mitigating complex application layer
-
2013 IDC 2
attacks, including encrypted attacks. Further, a quality
provider should have multiple
mitigation layers and techniques and not rely on one or two
off-the-shelf devices;
experienced attackers often have a solid understanding of the
weak points of these devices
and the limits of their capabilities.
Ask if a provider measures attacks and what attack analysis will
be provided. Can the mitigation
company share bit and packet rates of attacks it has seen? Is
this data produced through direct
observation and thereby mitigation of a DDoS attack or
secondhand via a publication the
provider is quoting? Because of the increasing size and
complexity of attacks, simply deploying
technology is no longer enough. Look for a solution from a
service provider that is purpose built
for solving security problems. Experienced engineers and
analysts who are engaged in the
DDoS fight day in and day out are more valuable than a provider
that touts a high number of
clients or has years of general security experience but doesn't
engage in the DDoS fight every
day. To gauge DDoS experience, ask potential service providers
how many attacks per hour or
per day they encounter. In addition, it is beneficial to make
sure you have a provider that is
committed to creating an intimate relationship with your
company. The provider should have
processes in place to get to know your business and create a
play-by-play engagement model
that dictates how an attack will be handled, by whom, and with
what resources. DDoS
mitigation isn't something you can "set and forget." You must
plan for the worst.
Q. How much real-time network visibility should a DDoS
mitigation vendor provide?
A. Ideally, a DDoS mitigation vendor should have near-real-time
visibility of the customer
network, and not just under attack scenarios. Real-time
visibility into network traffic assists
with identification of DDoS attacks. Split-second decisions
cannot be made in arrears; rather,
they must be made in the moment of a DDoS attack. In addition,
look for a monitoring
platform and customer portal with information that is easy to
read and interpret and provides
real-time data and analysis of your network perimeter. Also be
sure that your provider
understands the context of what the customer sees in an attack
and presents it in such a
fashion that assists rapid decision making during attacks as
well as visibility for executive
engagement. A world-class DDoS vendor will also provide industry
knowledge and
educational resources as part of its service.
Network visibility is critical for the provider and your teams
to make rapid decisions when under
attack. You want to have a customer service partner that can
help you navigate the complex
landscape of DDoS alerts that may or may not require mitigation.
Also required are flexible and
modular service options that will allow you to scale up or down
depending on your needs. An
"always on" mitigation service option is important as is one
price regardless of attack size to
protect your company 24 x 7 within a predictable budget.
Further, look for a provider that can
assess your infrastructure to advise you on the best mitigation
plan for your company.
Q. Why choose a specialist provider?
A. Specialist providers and those that are in the DDoS fight day
in and day out have large,
dedicated mitigation networks and expert resources focusing all
of their time on DDoS. They
have invested in security as a core expertise and have a
security operations center and a
first-responder team of engineers. The environment is purpose
built for large-scale DDoS
with real-time analytics.
Look for a company that has a distributed global network of
traffic scrubbing centers in the
Americas, Asia, and Europe. A provider that understands that
DDoS attacks are not static is
also critical. Methods of attack change constantly from
volumetric floods to small, targeted
payloads hidden in HTTP and HTTPS traffic. They can involve SYN
floods or DNS-level
-
2013 IDC 3
attacks and are often amplified through reflection tactics. DDoS
is a highly complex arena
that requires specialized knowledge and attention.
Q. Are application attack (Layer 7) mitigation capabilities a
requirement?
A. While it is critical to ensure that a provider has more than
enough capacity to be able to
handle large, volumetric infrastructure attacks (targeting
Layers 3 and 4), it is also important
that the provider can mitigate stealth, low gigabit per second
application attacks (targeting
Layer 7). Many application attacks are encrypted via Secure
Sockets Layer (SSL)
technology, so providers should also be evaluated for their
ability to mitigate encrypted
attacks as well as their SSL key management practices to ensure
that compliance with any
industry privacy or security regulations can be maintained.
A B O U T T H I S A N A L Y S T
Christina Richmond is a program director for IDC's Security
Services research practice. In this role, she is responsible
for
IDC's worldwide research and analysis on enterprise and service
provider security consulting and integration services.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Custom Solutions. The
opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently
conducted and published by IDC, unless specific vendor
sponsorship is noted. IDC Custom Solutions makes IDC content
available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not
imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in
advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests,
contact the Custom Solutions information line at 508-988-7610
or
[email protected]. Translation and/or localization of this document
requires an additional license from IDC.
For more information on IDC, visit www.idc.com. For more
information on IDC Custom Solutions, visit www.idc.com/gms.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA
P.508.872.8200 F.508.935.4015 www.idc.com
