Yes, they’re awesome! But analyzing lessons learnt from multi Tbps DDoS attacks doesn’t help the majority of enterprises strengthen their DDoS mitigation postures. These are 4 reasons why that’s so with tips on what could help.
- 99.4% of DDoS attacks don't saturate bandwidth
While it's difficult to wrap your head around the actual size of these mega Terrabit per second DDoS attacks, the truth is the overwhelming majority of DDoS attacks (99.4%) in 2019, according to Correro, didn’t saturate their targets’ bandwidth.
Why? Cybercrime like any other business strives to optimize return for its investment. In DDoS terms this means spending as little as possible to get the biggest impact. Why spend big when application layer (Layer 7) DDoS attacks can consume resources on a target’s Firewall with a fraction of the cost of saturating bandwidth and take the services down nevertheless?
- Most Enterprises have less than 1Gb of bandwidth
The leading cloud DDoS mitigation scrubbing vendors have well over 30Tbps of capacity to ensure that even monstrous DDoS attacks like the 2.3 Tbps attack against AWS or the 1.44 Tbps attack that Akamai mitigated in June does not take their services down.
On the other hand, most enterprises have under 1Gb of bandwidth which means that if they don’t have DDoS mitigation scrubbing services to protect them from large DDoS attacks upstream, DDoS attacks as small as 1Gbps and under could cause latency and / or downtime.
- Most DDoS Reflection attacks are based on UDP Traffic
The DDoS attack against AWS, a Connection-less version of the Lightweight Directory Access Protocol (CLDAP), isn’t new. It was used as early as 2016 and like other reflection DDoS attacks is formed on the basis of a UDP packet.
The mitigation mechanisms used to mitigate UDP based reflection attacks are largely the same. But because mitigating more sophisticated application layer attacks requires different mitigation mechanisms, these triumphs against mammoth Tbps DDoS attacks aren’t representative for the overwhelming majority of enterprises.
- (COVID-19) Network Changes Erode DDoS Mitigation
DDoS mitigation works when it’s configured to the underlying network it’s protecting. Network assets that aren’t mapped to DDoS mitigation configurations are not optimally protected from DDoS attacks. For example, a recently added web application server that hasn’t been specifically configured in DDoS mitigation policies is vulnerable to any DDoS attack targeting port 80, and Port 443, if using a secure connection with the likes of: HTTPS Attacks, SSL Negotiation Floods etc.
Another example is a VPN Gateway that wasn’t deemed critical before COVID-19 and therefore never specifically configured in the DDoS mitigation policy, could very well be exposed to a variety of DDoS attacks.
Like watching professional surfers tame 75ft waves off the shores of Nazaré, Portugal, successful mitigation of mega Tbps attacks, while impressive feats in their own respect, doesn’t provide most enterprises with insight into critical aspects of DDoS mitigation that are relevant to their specific needs.
To gain insight into which DDoS mitigation mechanisms aren’t configured for your specific network and what you can do about it see here.