Cyber security vulnerabilities usually refer to weaknesses in software code that allow threat actors to take advantage of vulnerable programs, web applications, or systems for malicious purposes (these are also known as "General vulnerabilities").
DDoS Vulnerabilities are different.
General vulnerabilities at some level are a result of software design flaws – they are not caused by using the systems, web applications, or programs – and each vulnerability can be fixed or patched to completely prevent threat actors from exploiting it. The Equifax cyberattack in September 2017, for example, in which cyber criminals penetrated Equifax and exposed information of 143 million Americans started by exploiting a known General vulnerability on their website (enumerated as CVE-2017-5638) that Equifax had not patched in time to avoid the attack.
DDoS vulnerabilities are essentially different to General vulnerabilities in that they are not a result of design flaws, they are part of the inherent design of DDoS mitigation.
How can DDoS Mitigation be inherently vulnerable?
Whether your DDoS mitigation is based on a Cloud Scrubbing Service, On-premise device (CPE) or a Hybrid solution, its technology isn’t plug & play like other network devices (e.g. routers, firewalls). It blocks DDoS attacks as long as it’s perfectly configured both on a network level and an IP address level to the underlying network it’s protecting. This is why DDoS mitigation’s default settings need to be finely configured for each and every network and why two environments will rarely share the same DDoS mitigation configurations.
The problem is that once a DDoS mitigation solution is perfectly configured it isn’t designed to automatically adapt to changes in the underlying network it is protecting. Because networks are constantly changing DDoS mitigation is constantly being eroded – opening DDoS mitigation vulnerabilities (or a "DDoS mitigation gap") – through which DDoS attacks can penetrate the network and take services down. Based on hundreds of tests, the industry average DDoS mitigation solution has an initial 48% DDoS mitigation gap.
DDoS vulnerabilities are not design flaws, but rather an inherent design limitation of DDoS mitigation solutions.
Complementing DDoS Mitigation Solutions – Closing the DDoS Mitigation Gap
The first step towards closing your DDoS mitigation gaps is identifying them, which is done by testing your DDoS mitigation. The problem is that Traditional DDoS Testing (Sometimes referred to as "PT") is extremely disruptive to ongoing operations and usually causes downtime or significant service disruption to ongoing operations. This is why Traditional DDoS penetration testing can be done on production environments only during maintenance windows, on average once or twice a year for short 3 – 4 hour periods each, that provide a limited and temporary understanding of your DDoS mitigation Gap. Companies performing Traditional DDoS PT twice a year are able to successfully reduce their DDoS mitigation gap from the initial average of 48% to 32% – effectively leaving them in a constant state of vulnerability to DDoS attacks. (See more in State of DDoS Protection Report)
The only way to ensure your DDoS mitigation is configured properly is by gaining continuous visibility of your DDoS mitigation Gap. This visibility complements the inherent shortcomings of DDoS mitigation, and allows your DDoS mitigation vendor to fix the ongoing erosion in your DDoS mitigation posture to secure the integrity of your online services.
This is exactly what the next generation of DDoS penetration testing, the DDoS Radar, does.
The DDoS RADAR® performs Non-Disruptive DDoS red team testing against your environment with ZERO impact on ongoing operations that allows companies to analyze their entire DDoS Threat Landscape 24/7 continuously with real-time reporting on DDoS Mitigation Gaps identified.
This continuous identification of DDoS vulnerabilities ensures DDoS mitigation gaps are kept at a minimum.