If you’re one of the few website or business owners that don’t know first-hand how serious the DDoS threat is getting, then take it from cyber security professionals: Despite the fact that a number of DDoS attacks in 2016 went down, it is still a graver threat than ever before. As the problem grows cyber security professionals, as well as website owners and perhaps even governments, are looking to ISPs to offer better protection.
However, with the size, frequency and duration of DDoS attacks constantly increasing and the immediacy of the threat for nearly every website on the internet, is waiting for ISPs to up their mitigation game really the best strategy?
Growing DDoS devastation
A DDoS attack is a distributed denial of service attack, an effective means of slowing down a website past the point of usability or taking it offline altogether. A DDoS attack is accomplished using a botnet, which is a collection of internet-connected devices that have been compromised by malware to allow attackers to control them remotely. Using this botnet, attackers can direct a large amount of malicious traffic at the target website, overwhelming the server or other essential network resources.
According to the Corero DDoS Impact Survey 2017, 31% of IT security pros, as well as network operators, indicated that they are dealing with more DDoS attacks now than they have in recent months, with 40% saying they’re dealing with those attacks on either a monthly, weekly or daily basis. Fifty-six percent of respondents view distributed denial of service attacks as a bigger problem this year than they have been in previous years. According to this same survey, however, those same professionals may be looking for a solution in the wrong place.
ISP protection…and limitations
If there’s one thing nearly all of the security professionals and network operators surveyed can agree on, it’s that they’re looking to ISPs to provide better distributed denial of service protection, namely blocking attack traffic before it reaches the networks of websites being targeted.
It probably goes without saying that if ISPs would provide this kind of protection as an integrated service – that would be fantastic. However, the built-in DDoS protection currently provided by ISPs is incomplete at best. Since ISPs have a lot of bandwidth available they offer effective protection against volumetric attacks, but clever application-layer attacks present a major problem. Additionally, ISPs are good at identifying malicious traffic, but their downfall lies in actually dealing with that traffic. An ISP’s attempt to filter out malicious traffic often results in a bottleneck that snares legitimate traffic as well resulting in a DDoS-like environment in which a website’s users can’t reach the website anyway. Lastly, a basic ISP service is almost completely ineffective at detecting DDoS attacks made up of seemingly legitimate requests such as the Slowloris.
It is possible to get full distributed denial of service protection from an ISP, however, it is an add-on service for which customers are paying a premium. As you can imagine, there isn’t much incentive for ISPs to provide a service for free when they’re already making a profit from it.
Protection when it’s needed
There’s speculation that due to the crushing threat of DDoS attacks we may be seeing regulations in regards to the kind of protection ISPs have to provide in the future. That’s all well and good for the future, but devastating, even business-crippling DDoS attacks are happening now, so that’s when protection is required.
The answer to keeping malicious DDoS traffic from reaching a website’s network is professional DDoS mitigation that is positioned at the perimeter of the network in question and employs granular traffic inspection that can easily bounce attack traffic to a scrubbing server while allowing legitimate traffic through to the website without any sign of anything being amiss.
There’s no question amongst security professionals that distributed denial of service attacks are a serious problem that’s only getting more serious. There’s a reliable solution out there, but for anyone currently looking to ISPs to provide that reliable solution, it’s either pay or face the potential consequences of a successful attack.