Five steps to evaluating a DDoS managed service provider
The news that the Southern African Department of Labour was recently able to foil a distributed denial of service (DDoS) attack on one of its external facing servers in early September reminds us that businesses and governments must remain vigilant at all times. While this DDOS attack was unsuccessful, a 2016 attack in Liberia, West Africa took the entire country offline for a week, when a Mirai botnet variant known as Botnet 14 spent seven continuous days on the offensive, flooding the two companies that co-owned the fibre going into country with 600 Gbps flows that overwhelmed its infrastructure.
Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions, says, “We know that DDoS attackers will target anyone today, from SMEs that might have valuable data, to banks with sophisticated security systems, all the way to governments at the level of a sovereign nation. By using multiple compromised computer systems to attack a target and cause a denial of service for legitimate users, a flood of incoming information forces the target system to slow down or even crash. And so vigilance remains the eternal watchword.”
In this vein, NETSCOUT Arbor says the case for a managed DDoS protection and mitigation service is well established as partnering with a provider that can oversee your organisation’s security operations takes a critical IT management issue off your plate, boosts your staff resources, and gives you access to specialised DDoS expertise. But not all managed DDoS services are alike.
Hamman clarifies, “When you are choosing your managed DDoS service provider, NETSCOUT Arbor outlines the following key areas to look out for: the flexibility to handle customised workflows; customer-focused reporting and intelligence; adequate network size; the experience of the provider’s IT team; and a best-practice hybrid solution.”
Flexibility to handle custom workflows: Your organisation may already have some operational processes and procedures in place for dealing with DDoS threats. A managed service provider should be able to adapt and align to you, rather than requiring you to change your processes. “You may wish to ask questions such as: Under what scenarios do you want the service provider to initiate mitigation action on its own, or seek your authorisation? Can the provider support different actions based on different alert types or event levels?” says Hamman.
Customer-focused reporting and intelligence: A good DDoS provider will deliver reports detailing the latest incidents and the actions taken in response to security events. However, a DDoS provider that is prepared to take their service to the next level above this will take a more proactive, consultative approach, which leverages global threat intelligence as the basis for recommendations to improve your security posture. A managed service provider should also be able to supply executive-level reporting that enables you to demonstrate ROI and key metrics for the C-suite.
Size of network: NETSCOUT Arbor says DDoS attacks are growing in sheer size and rapidly approaching terabyte territory, due largely to amplification techniques and the emergence of Internet of Things (IoT) botnets. The capacity to absorb and disperse the largest known attacks is imperative. Equally important is a distributed infrastructure, with multiple locations that enables mitigation to take place as close to the source of attack as possible. This not only avoids “choke points” - it accelerates time-to-mitigation cycles.
While absolute network size is an important consideration, so too is the amount of capacity dedicated to DDoS mitigation. A dedicated provider is critical to mitigating massive attacks. It should be noted that managed service providers support multiple customers, and there is always the risk that several will be hit at once. It is not enough, therefore, to have capacity levels that are equal to or even twice the size of any potential attack. Rather, the network must be several orders of magnitude bigger than the largest known attacks. Ten terabytes of capacity is quickly becoming the standard that will define the modern, managed DDoS provider.
Experience of team: A good provider will be highly reliant on automation. Over and above this, your provider of choice needs to understand that foiling threat actors takes human intelligence – the ability to recognise and analyse a real attack, understand its origins and quickly determine its objectives. “Therefore,” says Hamman, “your provider of choice should have dedicated research teams with decades of experience studying, analysing and overseeing the successful mitigation of DDoS attack, as well as excellent security expertise from team members with diverse professional backgrounds and complementary skills.”
Best-practice hybrid solution: Increasingly, security experts agree that a hybrid solution, combining on-premise and cloud capabilities, is the best defence against DDoS attacks. The on-premise component can typically capture the vast majority of malicious traffic. If an attack threatens to exhaust the capacity of an on-premise appliance, the cloud capability can automatically activate. Today, on-premise defences can be virtualised. With a fully managed service, costs are offset by a reduction in staffing requirements. And you only pay for as much cloud capacity you consume.
“As we’ve reported previously, data from the NETSCOUT Arbor Worldwide Infrastructure Security Report (WISR) for 2018 showed that South Africa was within the top 10 of countries targeted by DDoS attacks for both the 2018 and 2017 WISR reports. DDoS defences simply cannot be emphasised enough,” concludes Hamman.