How to Minimize the DDoS Mitigation Gap


DDoS attackers are improving their arsenal and successfully targeting companies to cause damaging downtime. DDoS attacks are becoming more intense and multimodal, and in some cases taking the shape of demanding ransom. Since the global lockdown onset, organizations are experiencing a massive digital transformation; and identifying DDoS vulnerabilities has become more difficult. These mitigation solutions perform only after a DDoS attack is detected, but identifying DDoS attacks is another challenge altogether. 

What is a DDoS Mitigation Gap? 

A DDoS mitigation Gap is calculated as a percentage of DDoS attacks bypassing a company’s DDoS mitigation defenses and penetrating the target network. For example, if 10 DDoS attacks hit an organization and its mitigation policy blocked only 8 of them, then it is observed that the network exhibited a 20% DDoS mitigation gap. Organizations can improve their DDoS protection strategy effectiveness by analyzing and maintaining a minimum DDoS mitigation gap.  

Why DDoS Mitigation Gaps Occur? 

Dynamic Business Environments - In a real-time, always-on business world, organizations continuously transform business operations to keep up with the new requirements and cut-throat competition. The recent work-from-home phenomenon is connecting personal devices to the infrastructure, making networks more vulnerable. The ongoing digital transformation includes deploying new servers, software, applications, and IT updates every other week. In October 2020, software intelligence company Dynatrace conducted an independent global survey of 700 CIOs to analyze the need for digital transformation; the report reveals that 89% of CIOs say the digital transformation has accelerated in the last 12 months, and 58% predict it will continue to speed up.

During a digital transformation, network vulnerabilities increase and most of the times remain undetected. Vulnerability identification remains a challenge because setting up a 24*7 human-operated DDoS testing is expensive and impractical. Despite advanced technology available, mitigation solutions do not have automatic fine-tuning and require manual reconfiguration. New identified vulnerabilities in the network can be fixed only when mitigation solutions are fine-tuned real-time, otherwise pre-configured solutions soon become obsolete. The magnitude of the DDoS mitigation gap, therefore, increases as organizations undergo digital transformation regularly.

DDoS Attack Vectors Becoming Complex — Another reason contributing to widening the DDoS mitigation Gap is the increase in intensity, complexity, and sophistication of DDoS attack types, making attack detection a challenge.  

The NETSCOUT Threat Intelligence Report mentions 4.8 million attacks in the first half of 2020, and confirms that complex 15-plus vector attacks have spiked 126 percent year over year and 2,851 percent since 2017, further complicating mitigation strategies. Another report from NETSCOUT observes more than 10 million DDoS attacks in the year 2020, i.e. nearly 1.6 million more attacks than seen in 2019.

DDoS attack vectors strike networks on three different layers of the OSI model. Attacks hitting different layers have distinct characteristics. DDoS attackers exploit the multi-vector technique within each of these three OSI layers, significantly complicating attack identification and mitigation.

(see Figure 1 for attack characteristics and attack type by OSI layer examples). 


Figure 1

Multi-vector attacks are on the rise because the tactic improves DDoS attackers’ possibilities to damage a network successfully. For example, attackers launch different vectors at once or modify the vectors in response to the mitigation solution. The attack strategy changes every few minutes. In this way, if one vector fails, the other hits the target network within seconds before mitigation can react. A deployed mitigation solution is configured to block identified vectors; however, it lacks real-time reconfiguration to prevent DDoS vectors variations, therefore increasing the DDoS Mitigation Gap. 

Hybrid Mitigation Solutions are Not Sufficient

Organizations deploy a combination of DDoS mitigation systems to combat the complexity of DDoS Attacks. Cloud-based Scrubbing centers and Content Distribution Networks (CDN) mitigate high bandwidth Layer 3 & Layer 4 DDoS attacks. Customer Premise Equipment (CPE) mitigation devices prevent the more complex Layer 7 attack vectors. 

(See a recommended DDoS Mitigation posture depicted in Figure 2 below).


Figure 2

Hybrid mitigation solutions can achieve optimal performance only when the different components (as illustrated in Figure 2 above) are fine-tuned and accurately synchronized with the production network. These mitigation solutions perform only after a DDoS attack is detected, but identifying DDoS attacks is another challenge altogether. 

Companies invest heavily in deploying mitigation solutions; however, without disrupting their services, officers cannot test if their mitigation solution is working under different attack scenarios or not. Current DDoS vulnerability detection tools require maintenance windows and cannot avoid downtime. In the past, enterprises couldn't think of real-time verification of their defense tools without disruption, because this new technology is only available now.

How to Minimize the DDoS Mitigation Gap

In most DDoS attack scenarios, open channels are not detected real-time, and vulnerabilities remain unblocked; DDoS attacks, therefore, bypass the most robust mitigation solutions. Because businesses are transforming rapidly, the DDoS Mitigation Gap will continue to expand on vulnerable networks. However, it is critical for organizations to detect and remediate the vulnerability gap before attackers can exploit it. 

A new patented technology is now available to minimize the DDoS Mitigation Gap and block DDoS attacks entirely.  

RADAR™, MazeBolt’s transformative technology, is the only 24/7 automatic DDoS attack simulator on live environments with ZERO downtime/disruption. RADAR™, compatible with all mitigation solutions, automatically detects, analyzes, and prioritizes the remediation of DDoS vulnerabilities across the network.

RADAR™ provides an ongoing analysis of surface risks and requires no maintenance window, which means there is no disruption to the business. Security personnel can fine-tune their mitigation policies regularly against surface risks detected in real-time. They can fix all vulnerability points BEFORE a damaging DDoS attack and successfully minimize the DDoS Mitigation Gap.

About MazeBolt

Israel-based MazeBolt is an innovation leader in cybersecurity, with over two decades of experience in pioneering DDoS attack protection solutions. The company’s new flagship product, RADAR™, is a patented, new technology. It offers DDoS protection through automated DDoS simulations on live production, with zero downtime. Working in conjunction with any mitigation solution installed. Its unique capabilities have ensured business continuity and full DDoS security posture for enterprises worldwide including Fortune 1000 & NASDAQ-listed companies.

Learn More About Downtime And Mitigation Gap