In the previous article in this series, we looked at the business case for DDoS (Distributed Denial of Service) testing. If you read this last post, you will probably agree that there are a number of features of DDoS attacks and DDoS mitigation systems that make DDoS attack testing particularly important. in this article, I have put together a checklist of the top ten reasons that businesses should consider when assessing the business case for DDoS attack testing.
Some types of countermeasures benefit more than others from routine testing and DDoS mitigation systems are a case in point. Some DDoS mitigation techniques rely on the deviation of traffic from normal levels and characteristics and so need good baseline information to be effective. Some DDoS attacks mimic normal user behaviour to a point, to try to evade detection and slip past defences – testing helps to tune mitigation detection, minimising false positives and optimising response times to attack.
Staff also need to be familiar with detection and response, and testing can help streamline response plans, reducing the distraction effect of DDoS attacks and keeping resources available to prevent data theft.
activereach has encountered several businesses who are under such regular DDoS attack that they feel they can suspend their DDoS attack testing. But for most companies, the frequency of DDoS attacks is low enough that confidence in staff and system preparedness will be commensurately low.
There are a number of features of DDoS attacks and DDoS mitigation systems that make testing particularly important:
Our Top 10 reasons to launch a DDoS attack test
#1 DDoS mitigation systems are expensive
Building a cloud service that is proof against the largest possible attacks is an expensive business that requires investment in many data centres, massive peering capacity and hundreds of scrubbing systems. In the flood prevention market – the solution price often reflects the investment made in the mitigation capability. When it comes to defeating 100Gbps+ attacks, size is important.
Providing this kind of flood defence for a single data centre might cost a company more than £100,000 a year. For many mid-market companies, this represents a significant investment in security to mitigate an unknown or poorly quantified risk.
A DDoS attack test costs a fraction of the annual cost of mitigation. A test can demonstrate to the board what impact a DDoS attack may have on the business and thus quantify the need for mitigation. A DDoS test might be able to quantify the capabilities of existing mitigation and help inform future investment in additional mitigation. A DDoS test might reveal that existing mitigation is not performing as expected, allowing the company to go back to mitigation vendor so they meet contractual obligations. Furthermore, a DDoS threat test can act as a drill for front line staff and managers responding to an attack, and can be used to model a training plan to optimise response in the face of a real DDoS event.
#2 DDoS mitigation systems vary widely in performance and capability
DDoS mitigation covers a broad range of techniques and technologies. Even the lowliest router claims some level of DDoS protection as a feature. Businesses need to be certain what scale of protection existing devices and services actually provide as opposed to what they promise.
#3 DDoS mitigation systems “leak” to avoid false positives
With a lot of DDoS attack traffic masking itself as user traffic, the task of mitigation is not always to block, like traditional defences, but to improve the ratio of good traffic to bad traffic sufficiently for the system under attack to cope with it – and continue to deliver normal service to the legitimate user.
#4 DDoS mitigation vendors cannot/do not reveal performance parameters
Many mitigation companies, in our experience, don’t like their infrastructure being tested. This is understandable – it is a cost to them and they would be most happy to accept payment for a service that is then never employed in anger. However, a customer has every right to ensure that contractual obligations can be met – in terms of detection, response, and mitigation capability. Moreover, if the mitigation company truly wants their solution to be operating at peak efficiency (system and people/process), then they should not only accept, but actively encourage regular test programmes alongside the deployment of their mitigation solution.
#5 DDoS mitigation requires processes to be followed by staff
DDoS mitigation involves people communicating – either electronically or by phone. This is especially true of some ‘on demand’ mitigation solutions which sometimes require human intervention, and changes to traffic routing to ‘swing’ mitigation capabilities into place. Until it is employed, a company may not be aware that the process of mitigation is broken.
Staff may not be aware of who to call, or even what an attack looks like. A company experiencing a system with degraded performance may expect IT failure or service provider issues as opposed to an attack and may not follow appropriate response protocol. With DDoS being used to blind companies to other attack methods, staff need to be aware that a DDoS attack may be an indication of a concurrent penetration or data theft.
If you are interested in testing your company’s ability to withstand DDoS attacks and would like to find out more about DDoS, mitigation and threat testing, please download our 2018 white paper on Testing Distributed Denial of Service.
#6 DDoS detection requires monitoring systems to be tuned
Not all DDoS attacks are easy to spot. The public perception of a DDoS attacks are the high profile DDoS ‘flood’ attacks, which are easy to detect. However a significant proportion of DDoS attack methods involve techniques which do not necessarily involve large amounts of data. These ‘low and slow’ attacks can slip past simple flood defences because they are designed, to a degree, to mimic normal user or application behaviour.
Some powerful DDoS mitigation techniques rely on detecting deviation from normal traffic patterns. This means the system needs tuning – and a DDoS test can help immeasurably with this establishment of a baseline and subsequent tuning process to detect anomalies.
#7 Modern networks and dependencies on public cloud are increasingly complex
With the rise in server virtualisation, virtual machines running on non-server devices (like routers), and virtual network technologies like VLANs and Q-in-Q – alongside rapid adoption of SaaS and hybrid cloud architectures, a company’s logical network architecture and data landscape is complicated like never before.
It is not always clear what business applications rely on which network devices or circuits. We have experienced customers who have learnt a great deal about network dependencies during a DDoS attack test – outages in systems that were considered previously isolated and invulnerable to attack.
#8 DDoS attacks are increasing in frequency, impact and sophistication
Previously DDoS might threaten an outage, but were considered more of a nuisance rather than a bona-fide threat to business data. However, modern cyber criminals have found the benefit of blending DDoS with penetration and data theft in a multi-vector assault. DDoS attacks have also become more sophisticated in and of themselves and untested mitigation systems may no longer offer the protection they once did.
#9 ISPs, SaaS companies, and hosting providers do not always test their own DDoS mitigation capabilities
Many customers make assumptions about their service provider’s attitude to DDoS and their capability to assist when a customer is under attack. The economics of the situation often present the service provider with the choice between upsetting one customer by turning them off, or upsetting all of their other customers who are suffering from collateral damage.
Any DDoS mitigation capabilities the ISP does have are often of limited scale and capability compared to a dedicated DDoS mitigation company. The lack of specialisation may mean the ISP or hosting company cannot provide the level of protection required. A test would confirm this. Many ISPs ‘blackhole’ traffic by routing it away from the intended target so its uplink capacity is not exceeded, however this blocks traffic indiscriminately, effectively blocking off a website or service.
Half off all ISPs surveyed by network security firm Corero in 2016 use this method. The same research also cited scrubbing, a process which filters out malicious traffic in order to minimise the impact on a business, as an example of an outdated procedure, claiming it is expensive and slow as it takes 30 minutes from detection to mitigation. Forty-six percent of ISPs surveyed use scrubbing. Scrubbing centres “coarsely” filter out bad traffic, are unable to detect shorter, smaller DDoS attacks and this adds latency to the remediation process.
#10 DDoS attacks are infrequent
Although this does not hold true for some customers in modern times, some of whom experience daily DDoS attacks, a large proportion of businesses have very little experience of DDoS attacks. Testing in this business environment will have a proportionately higher impact than for those companies who are very familiar with DDoS attacks.
DDoS attack testing isn’t just about testing your network infrastructure; it also serves as a drill to ensure that you have the right people and processes in place in the event of an attack. Our DDoS Testing Services offer either a standard template test pattern for a simple 90 min baseline DDoS attack test or a more advanced bespoke test scenario that can last for up to 6 hours. In our next blog article in this series we will discuss the legality and ethics of launching a DDoS attack test.