458087 IDC Tech Spotlight New DDoS Defense FINAL .pdf

I D C

T E C H N O L O G Y

S P O T L I G H T

The New DDo S Defense: Denying Denial -ofSer vice Attacks
February 2015
Adapted from Worldwide DDoS Prevention Products and Services 2014–2018 Forecast by John Grady,
Christina Richmond, and Christian A. Christiansen, IDC #251384

Sponsored by Arbor Networks
Enterprises are under attack. Any business that depends on the Internet is a target for distributed
denial-of-service (DDoS) attacks, which overload a network and its components, effectively shutting
down the network. These attacks are more than an inconvenience — they can harm an organization's
reputation or, worse, cost lots of money in lost customers, revenue, and data. This Technology
Spotlight describes DDoS attacks and their rise in the business market. After a discussion of the
costs of these attacks and current mitigation solutions, the paper examines Arbor Cloud, a DDoS
service from Arbor Networks. This Technology Spotlight also provides advice for organizations
evaluating DDoS mitigation solutions.

The Rise of DDoS and the Threat to Business
The number of DDoS attacks has increased dramatically over the past several years. While these
attacks started with blocking access to Web sites, with the rise of Web-based services and
software as a service (SaaS), the threat of DDoS is now pervasive across the Internet and involves
high-profile sectors such as financial services, social media, and ecommerce.
Attacks occur for political reasons, for financial gain, and as a diversionary tactic to steal intellectual
property. All businesses are potential targets, even industries not as highly targeted, such as
manufacturing and services. Virtually every executive suite and boardroom is beginning to
understand not only what but also how much is at stake.
Since 2012, IDC has seen a sharp increase in the frequency, bandwidth volume, and application
orientation of attacks. For example, in a 24-hour period on May 7, 2013, 2,732 DDoS attacks were
launched. Not only is the number of attacks significant, but the duration of such threats has
increased; for example, the length of attacks increased from an average of 32.2 hours to 34.5 hours
during the six-month period from September 2012 to March 2013.
The DDoS threat will become even more serious. And with the Internet now supporting the entire
financial, industrial, utility, and government infrastructure, the desire to stop or mitigate DDoS is
justified. Accordingly, IDC predicts the worldwide market for DDoS prevention solutions will grow by a
CAGR of 15.4% from 2013 through 2018 and reach $944.4 million.

Inside DDoS Attacks
What constitutes a DDoS attack? Internet equipment is taxed when billions of high-speed
transactions attempt passage. High-capacity routers that transmit traffic between networks slow down
when an excessive number of packets aimed at a single point of destination arrive. If the traffic does
not have adequate routing, as happens in DDoS, it is halted, and the entire system stops working. In
such situations, existing defenses like firewalls fail.
IDC 1850

The challenge is that if servers are hit with an excessive number of requests, they become unusable
and ultimately go down. In the case of DDoS, an attacker can deploy hundreds and even thousands
of bot-infected devices to generate requests. When servers get hit by a storm of transactions, they
may not be able to distinguish legitimate requests from assaults. These attacks are implemented
either by forcing a targeted computer to reset or by consuming resources so as to impede an
intended service.
DDoS attack sources include professional criminal DDoS operators who use botnets for profit,
untraceable cash collectors (mules) who organize DDoS attacks for profit, individuals who use DDoS
for personal gain, opt-in attackers who join in DDoS protest movements, and spy attackers who
render key business services unavailable while seeking information such as financial data or
intellectual property. These attackers use a variety of DDoS methods, including:


Bandwidth consumption. DDoS floods network choke points on the Internet, preventing traffic
from reaching destination servers.



Resource exhaustion. A botnet operator can instruct several botnet agents to make several
simultaneous connections, which prevent the addition of more connections to the target Web site.



Application exploitation. DDoS uses application vulnerabilities such as logic flaws. For
example, an application may accept three failed log-in attempts before it locks out. Submitting
multiple erroneous log-ins renders the application inaccessible.

Migrating to cloud computing can be a sound proposition from a purely business standpoint.
However, cloud-based applications are also attractive to cybercriminals. Cloud services concentrate
so much data in one place that they justify a large investment of an attacker's time and resources,
affording improved opportunities for DDoS attacks. Exhaustion attacks could then consume
resources in servers, load balancers, and firewalls.

The Costs of DDoS
The price of a DDoS attack can be steep. An average data breach is estimated to cost an enterprise
over $5 million in operating expenses and lost business. According to the accounting firm KPMG,
there has been a 40% increase in the number of publicly disclosed data breaches over the past two
years. Perhaps more important, a data breach can damage a company's reputation for many years.
In addition, DDoS attacks can have far-reaching legal implications. In many industries, such as
financial services, laws and regulations demand disclosure of a breach in computer services. Cases
involving damage claims from DDoS can be material evidence if liability is present, such as when a
negligent computer services vendor is involved.
While the costs of engaging a law firm may be minimal, fines and payments for damages can be
substantial. Shareholders can file class-action lawsuits seeking compensation for damages on the
premise that the organization failed to protect personal information properly. This is particularly the
case when DDoS is a diversion; the company's IT staff is focused on the DDoS when the attackers
use other means to break into the company network to steal information.
In addition, inquiries about adequate security may also come from the Securities and Exchange
Commission (SEC). The SEC has been pressing firms to be more forthcoming about any attacks on
their computer networks. Forty-seven states have enacted data breach notification laws. The SEC
has sent dozens of letters to companies asking for documentation of cybersecurity situations. Firms
are now accountable to declare material risks to their networks.

2

©2015 IDC

DDoS Solutions
Firewalls, IPS appliances, and other devices may be helpful for coping with basic attacks. However,
these security devices can become targets themselves because they are unable to recognize traffic
that is part of a flood attack. Therefore, special-purpose solutions are needed to mitigate DDoS
attacks, and organizations with an online presence should add DDoS protection.
The best practice to defend against DDoS attacks is a hybrid approach of on-premises and
cloud-based services. This approach consists of on-premises and cloud-based scrubbing, working in
concert through signaling. Standalone, or cloud-only, or perimeter-based appliance, or CDN
approaches are all too risky by themselves.
In a hybrid scenario, an on-premises appliance provides defense against smaller volumetric attacks
and application layer attacks. If a large-scale attack occurs, the cloud component is able to divert the
traffic into a scrubbing center before rerouting back to the customer network. True hybrid solutions
combine the best of all DDoS defenses when on-premises solutions are tightly integrated with cloud
defenses, creating a seamless, multilevel defense system.
Any DDoS prevention scheme must center on protecting data and critical assets and limiting the time
to the discovery of data loss from an attack. In many ways, the safest course of action is to assume
that a breach will occur and to determine how best to limit the damage, which is typically through a
multilayered defense. This requires complete visibility of network traffic to correlate information and
accurately detect anomalous behavior.
But most importantly, organizations need efficient tools for uncovering threats within the network.
With the massive amount of traffic flowing through organizations today, it has become increasingly
difficult to address both of these issues.

Considering Arbor Networks' Arbor Cloud
Arbor Networks, headquartered in Burlington, Massachusetts, is a leading provider of DDoS and
advanced threat protection for enterprises and mobile and carrier network service providers. The
company launched its managed DDoS protection service, Arbor Cloud, in November 2013.
Arbor Cloud offers multilayer protection, utilizing Arbor's Pravail DDoS on-premises appliance and a
global cloud mitigation infrastructure based on Arbor's Peakflow equipment. Underlying this hybrid
on-premises/cloud solution is the expertise found in Arbor's ATLAS Intelligence Feed, which
constantly updates Arbor solutions on new DDoS threats and fingerprints and automatically tracks
known harmful botnets on a worldwide basis.
With Arbor Cloud, the customer manages the on-premises Pravail Availability Protection System
solution and Arbor offers global DDoS mitigation as an on-demand service for when attacks become
too large or complex to be handled onsite. The Pravail device automatically provides protection from
application DDoS and botnet threats and is updated to new threats through Arbor's threat feed.
Pravail devices provide a full suite of attack countermeasures and visibility into attacks, threats, and
blocked hosts. The Pravail solution can be set to trigger responses automatically or manually and can
then alert more comprehensive measures offered through Arbor Cloud.
If an attack warrants further action, Arbor's on-demand service is activated. Based on the company's
Peakflow technology, the service offers multiple DDoS countermeasures that detect, remove, and
scrub illegitimate traffic while enabling the flow of legitimate traffic. Added intelligence provides
visibility into traffic, services, and applications to enable enterprises to make rapid and informed
decisions about routing, transit, partners, customers, and quality of service. This automated response
is supported by Arbor's Cloud Service Specialists and Security Operations Center to provide
hands-on support and extensive expertise in real-time DDoS mitigation.
©2015 IDC

3

Challenges
But Arbor Networks does face some challenges. Enterprise dependence on the Internet will only
continue to grow. This means more traffic, more data, and more DDoS attacks. Arbor must continue
its drive to manage and protect large amounts of networked data and never stop in its mission to
identify DDoS attacks and malicious botnets.

Conclusion and Recommendations
DDoS will continue to be a serious threat to enterprises. What started as relatively isolated threats
has grown to be a major concern for all industries, from financial services to social media to
ecommerce. Any organization with a sizable online presence should consider adding dedicated
DDoS protection if it has not already. When considering an on-premises solution versus a cloud
solution, organizations need to recognize that the administrator requirements differ from those of a
firewall or an IPS solution. As is often the case, the best solution is often a combination approach
where an on-premises appliance and cloud service are used in conjunction when resources allow it.
For organizations that cannot commit the staffing resources, many on-premises and cloud providers
offer additional managed services to help configure defenses and mitigate attacks in real time. IDC
recommends asking the following questions when selecting a DDoS mitigation partner:


What experience does the organization have in a specific industry or situation?



How does the security operations center handle a DDoS attack?



What is the average time to mitigate an attack?



How much latency should a customer expect?



How does the organization scrub DDoS bot-infected data?



How does the organization's anti-DDoS technology know good data from bad data?

There is no longer a one-size-fits-all security appliance or a software firewall that can outthink all
attack formats. Therefore, a mix of several deterrents, including contracted security services, must be
applied for different levels of protection for different parts of the enterprise. An application portfolio
may have to be split into several security zones where uptime reliability and several backups are
available.
An extensive array of commercial tools are available for use. Many of these tools are optimized for
limited attack traffic profiles. Many readily obtainable DDoS tools can be preconfigured for a specific
type of traffic. Executives should engage firms that have already demonstrated the ability to mitigate
a wide range of DDoS attacks. IDC advises that CIOs hire firms that intercept DDoS in upstream
networks, with proven experience in DDoS interception. As organizations look to adopt DDoS
countermeasures, they should:


Redesign network topology to ensure that DNS routers are contained within the boundaries of the
network control center



Engage legal counsel from firms that specialize in cybercompromise matters



Engage forensic IT experts, under the guidance of legal counsel and auditors, to oversee
information security operations, including compliance with standards and commercially endorsed
best practices

4

©2015 IDC



Overprovision server and network capacity for bandwidth DDoS attacks; this may require moving
to a higher level of service offering



Set up for black hole routing to reroute malicious traffic



Arrange for distributed hosting so that attackers are divided



Patch all applications with the latest vendor software



Harden all systems, removing superfluous services



Apply processing limits to inbound traffic



Implement load balancing and prioritization hardware to distributed inbound traffic



Filter and block known bad actors from a list of suspected botnets

A list of 5,300 recent suspected DDoS operators is available directly from the FBI. Even with this
information, however, DDoS attacks will happen. And due to the speed of technology, enterprises will
continually play catch-up to mitigate these threats. Quite often, in-house IT staffs are not prepared to
focus solely on DDoS, so it is an advantage to partner with an outside provider. Such organizations
not only have expertise but also are keeping track of new DDoS approaches that need to be stopped.
To the extent that Arbor Networks can overcome the challenges described in this paper, the
company's Arbor Cloud service has a significant opportunity for success in the market for
comprehensive DDoS mitigation solutions.

A B O U T

T H I S

P U B L I C A T I O N

This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor
sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T

A N D

R E S T R I C T I O N S

Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at 508-988-7610
or gms@idc.com. Translation and/or localization of this document require an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC Custom Solutions, visit
http://www.idc.com/prodserv/custom_solutions/index.jsp.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

©2015 IDC

5