DDoS attack threat – mitigation and testing

John Baldock

Another high-profile website has suffered downtime as a result of a DDoS attack. This time is was the BBC. It is important for all organisations, hoping to avoid a similar fate, to review how the tech industry is reacting.

Project Shield from Google

Clicking through news articles related to the attack, filled with interchangeable clichéd phrases, I stumbled across this announcement of the expansion of Project Shield from Google.

It’s always exciting to see a tech giant’s response and contribution to hot topics in the industry. But a free DDoS mitigation service from Google: Is this good for companies weighing up their mitigation options? Can it possibly compete with paid for mitigation services? How will it impact network security companies such as activereach Ltd?

It is immediately obvious that you will not get anywhere near as good as the service you would expect from DDoS mitigation leaders, or indeed any paid for service, and in addition, Google states there is no SLA and no guarantee of protection. However, this is not a slight on Google’s laudable project that is trying to protect free speech. Certainly, Project Shield is not aiming at the same market space as commercial DDoS mitigation; their product definition defines their target market – which is limited to websites (not networks) serving news, human rights, and election content.

The BBC DDoS attack

It is not clear what DDoS protection the BBC has in place, but a news corporation of that magnitude should consider (or have!) some pretty hefty protection to ensure the continued reliability of their services. After all, they are an organisation with a massive audience and they have a reputation at stake.

However, the DDoS attack they were hit with was very large – according to some reports it was over 500Gbps – and perhaps it highlights that, regardless of scale and capability of the target or the scale of their mitigation partner, that mitigation systems need regular testing to understand their limitations. All DDoS protection is *mitigation* not *immunity* – it reduces the attack – it does not stop it. Like all flood defences it is prone to being over-topped.

The case for DDoS testing

Testing of DDoS mitigation allows organisations to be informed about how likely that is to happen, and allow them to budget for protection and testing as appropriate for the possible risk to business and reputation. Are we sure what the news is reporting is a failure of DDoS mitigation? Or simply the result of an informed investment in proportional mitigation?

So let’s not be too unkind as we watch the headlines flickering past as corporation after corporation fall victim to DDoS attacks. It’s important to realise that they have suffered financial and reputation loss. Indeed, it’s not wise for anyone to make any assumptions when it comes to their own finances and reputation, especially as you watch others stumble and struggle.

Make no mistake, DDoS attacks are soaring. They are the choice of missile for cyber criminals looking to distract, tarnish, or hold businesses to ransom.

Speak to industry experts about DDoS mitigation and testing. Make sure you are prepared for whatever threat your business may face. Take action now and don’t be the next headline that flickers past, suffering bewildering financial and reputation loss.

If you would like to find out more about our vendor neutral approach, please visit our web pages on DDoS Mitigation and DDoS Testing.