DDoS mitigation effectiveness is eroded over time
DDoS mitigation works best when it’s first configured, though it is far from perfect, even initially. The DDoS defense mechanisms of DDoS mitigation rely entirely on analyzing incoming traffic, detecting and blocking bad traffic and then only passing on legitimate traffic.
DDoS Mitigation policies are defined for each IP or per network, to ensure that only the legitimate traffic can flow to services required by external users. Even the latest advanced DDoS Mitigation technologies need to be configured and fine-tuned in an ongoing manner. They are not simply plug in and play.
Hackers, have several ways to bypass all DDoS mitigation systems.
It’s relatively easy for hackers and cyber criminals to probe a network they intend to target. They use small exploratory probes of 'bad traffic', prior to a DDoS attack. Utilizing these probes, they look for vulnerabilities in the DDoS security policy and then, using the results of these probes, when they launch an attack, they understand how to effectively bring down the system.
This is done by bypassing DDoS defenses. More about this can be read on webpage downtime and DDoS mitigation gap.
After initial configurations of your DDoS mitigation, the need for ongoing fine tuning of DDoS mitigation policies is critical to avoid downtime. Most production networks and services change constantly. Each change represents a potential new DDoS vulnerability in your DDoS mitigation configuration. These changes are very difficult for any network security team to keep up with (if not impossible).
In order to appropriately address this shifting configuration challenge most enterprises rely on Traditional DDoS Pen-Testing or the BaseLine validation method.
Old Technique: Traditional DDoS Pen-testing
Is widely used when it comes to validating DDoS Mitigation configurations. Traditional testing has some use, but until recently, is considered to be the only way of understanding existing DDoS Mitigation Postures and configurations. It gives very limited insight into where DDoS Mitigation is vulnerable but does give some potential direction on where action can be taken to remove the flaws and vulnerabilities.
Disadvantages of Traditional DDoS Pen-testing
Requires major downtime and disruption, with the entire network team on standby at very inconvenient hours.
The fact that one cannot run Traditional DDoS Pen-testing to validate the entire production network, itself leads to questions and scrutinisation of the approach. There are several reasons why the Traditional DDoS Pen-testing is not the best practice to validate DDoS Mitigation.
Firstly, if the testing must be performed on a production environment (which it must, if that’s what you are validating), then it can only be tested during a maintenance period. In all likelihood, no more than 3 hours can be given to perform this task a maximum of twice a year.
Secondly, once the vulnerabilities are detected and communicated to the DDoS Mitigation vendor, then fixed by the vendor, without another maintenance period, there is no way to validate that those adaptations were effective.
Lastly, with traditional DDoS Pen-testing, one cannot perform a test across all the web facing IP addresses. You would be able to select a sample of around 5 IP’s to test, that would represent your entire global network of IP address space! It’s in fact, more like a litmus test.
Therefore, relying on Traditional DDoS Pen-testing will not ensure your DDoS Mitigation configuration policies are fine-tuned enough to withstand any kind of major DDoS Attack.
The New technique: MazeBolt’s DDoS Radar®
What if an enterprise was given an option to perform validations of their live production network and IT services, across the web facing IP addresses without interrupting the business?
Yes, you heard it correctly. This can finally be achieved with MazeBolt’s patented technology DDoS Radar®.
This Whitepaper describes how BaseLine validation methodology, with the DDoS Radar® can be fully used to validate DDoS Mitigation without disruption 24/7. With this new advanced technology full coverage of all known DDoS attacks and all IP’s can be accomplished.