Five Features to Look for in a DDoS Mitigation Service

This month we are sharing a blog from our security partner Oracle Dyn that takes a look at the five features to look for in a DDoS Mitigation Service.

Organizations know they must have a DDoS mitigation strategy as part of their disaster recovery and online contingency plans. But some have a fundamental misunderstanding of what that means.

In the context of DDoS, mitigation does not mean simply blocking all attacks. It is actually the process of reducing the severity of the overall effects that a DDoS attack can have.

When evaluating DDoS mitigation service providers, the following capabilities are imperative to effectively address the overall threat of attacks and fundamentally lessen the damage they can cause. Unfortunately, not all vendors offer the same level of protection, and many have different approaches to what they call mitigation. The list below can help organizations measure the differentiation that exists among various DDoS mitigation service providers.


Always-on, immediate detection

No organization can mitigate the effects of a DDoS attack without first detecting that one is taking place. Most DDoS attacks start small and ramp up over a period of time, so early detection is crucial.

Ensure that your DDoS mitigation service has the ability to offer always-on, immediate DDoS detection. It should be able to detect an attack against a single IP address within seconds, before anyone else notices any effects, by continuously monitoring network traffic and edge routers.


Preconfigured traffic diversion

The next mitigation technique involves diverting incoming traffic targeting an asset to a cloud scrubbing centre. Diverting traffic requires changes to the underlying BGP routes that run the internet. Organizations can be severely hurt by an attack if there are delays in the BGP route update announcements needed to begin traffic diversion and subsequent scrubbing.

Ensure prospective DDoS mitigation services have the ability to preconfigure an organization’s routes and netblocks into their detection and mitigation technologies — before an attack begins, normally during the service onboarding process. Doing so ensures that traffic diversion can take place in seconds when an attack is detected. Vendors that rely heavily on automation to divert traffic are often the quickest to engage cloud scrubbing.


GRE tunnels

To reduce and nearly eliminate the negative effects of an attack in progress, a DDoS mitigation service provider should build GRE tunnels between its scrubbing centres and the customer’s border routers. GRE tunnels are needed to reinject legitimate traffic back to the protected organization once the DDoS attack has been scrubbed from the traffic streams.

Ensure prospective vendors have a proven process to build, test, and verify that GRE tunnels are operational before an attack begins. Reinjection of legitimate traffic is crucial to keep assets online, even when an attack is taking place. Waiting to build GRE tunnels until an attack begins will severely increase the amount of time to mitigation and will likely result in an extended outage.


Traffic-specific rulesets

When diverting traffic to a DDoS scrubbing centre, only a portion will actually be DDoS traffic.  Some legitimate traffic will also be diverted, and this traffic must not be negatively affected. Applying one broad ruleset to all diverted traffic is not always the best approach, because it will likely result in latency and increase the probability of inducing false positives.

Ensure prospective DDoS mitigation service providers have the ability to define and apply challenges, filters, and rules to only the IP address that is under attack. It is not necessary or recommended to scrub legitimate traffic destined to IP addresses not under attack. Vendors should have the ability to apply their scrubbing techniques to a single IP address instead of the entire diverted netblock and preconfigure rulesets for every IP address that may come under attack.


Customized onboarding

The onboarding process is critical to ensuring that all mitigation techniques and mechanisms are in place, long before an attack actually happens. One misstep during the process can completely defeat the overall effort, resulting in an unwanted outage. No two networks are the same, and targeted assets can be attacked in different ways, so customization of mitigation techniques is imperative.

Ensure prospective DDoS mitigation service providers have the ability to highly customize their onboarding process based on an organization’s business model, exposed web assets, peak operating hours, legitimate traffic volumes, specific application requirements, expected targets, and suspected attack vectors.

The above techniques may seem like a given, but they are the most important DDoS mitigation service differentiators.


This blog was first published on the Oracle Dyn blog on 7th November 2018 by Stephen Gates.