Securing the enterprise from DDoS attack: A unique opportunity for ISPs and MSSPs

By Darren Anstee, Solutions Architect Manager for Arbor Networks.

  • Monday, 6th January 2014 Posted 11 years ago in by Phil Alsop

Today’s enterprises are reliant on Internet connectivity, whether as a source of revenue, a means of communicating with customers or potential customers, or as a way of accessing the data and applications they need for every-day operations; and, downtime can be very costly, both financially and from a reputational perspective.


To counter this risk, organisations have invested in data-centres with resiliency and redundancy baked into their architectures. However, this has not helped them to protect themselves from the leading threat to Internet service availability – DDoS attacks.


Distributed Denial of Service (DDoS) attacks are designed to disrupt the availability of a targeted network, service or application by consuming some or all of the resources assigned to that network, service or application. Over the past decade DDoS attacks have increased in size, sophistication and frequency. They have become more common, with a broader range of targets and motivations, and the awareness of the threat DDoS poses has increased through the well-publicised activities of Anonymous, Al Qassam Cyber Fighters etc…


Enterprises have rightly become concerned at the potential business impact a successful DDoS attack can have. Arbor Networks 1st Enterprise Threat Landscape report shows that 63 per cent of enterprises see the DDoS threat to Internet service availability as a top priority. So, how can enterprises protect their businesses from this threat?


ISPs and MSSPs (Managed Security Service Providers) are in a unique position to offer enterprises protection from the DDoS threat, as they have the skills, personnel and network capacity needed to deal with the attacks out there today.


Firstly, ‘volumetric attacks’ – the most common and simplest type of DDoS attack. Volumetric attacks consist of traffic generated at high enough ‘bits per second’ or ‘packets per second’ rates to cause network congestion, preventing genuine traffic from reaching its destination. These attacks can be very large indeed, leveraging reflection and amplification techniques to magnify the capability of an attacker e.g. the Spamhaus DDoS attack in March 2013 – the largest DDoS attack ever recorded, at approximately 300Gbps.


Secondly, ‘application layer attacks’ – which target services at layer-7. These attacks have become increasingly common over the past four or five years and are the most sophisticated and stealthy type of DDoS attacks. These attacks utilise traffic that can be difficult to distinguish from that of a genuine user, making them more difficult to detect and mitigate without specialised solutions and services.


To deal with these different attack types, which are increasingly being used in combination, organisations need layered DDoS defences. Volumetric attacks have grown to a level where they can saturate the Internet connectivity of many organisations. Arbor Networks ATLAS monitoring programme shows the average size of a DDoS attack increased by 43 per cent between 2012 and 1H 2013 to 2.12Gbps. These attacks have to be dealt with within the ISP / MSSP where sufficient capacity exists (to allow genuine traffic to pass through whilst attack traffic is discarded).


Application layer attacks, and smaller volumetric attacks, can be just as damaging though and we must remember that once a service has been impacted it will not necessarily recover immediately after an attack has been mitigated. This is why proactive protection from these attacks is needed – and that requires DDoS defense at the network perimeter. Solutions deployed at the network perimeter have deeper visibility into traffic (as they can be deployed in-line) and can detect and mitigate more stealthy attacks before they have a chance to impact services – ensuring our business continuity is protected.


Ideally these two layers of DDoS protection should work together to provide a seamless automated defense from the DDoS threat. And, ISPs and MSSPs are in the perfect position to offer integrated, layered DDoS protection services to meet this growing market requirement. With DDoS attacks continually increasing in size and frequency, fifty per cent of enterprises intend to make DDoS protection part of their business risk management process for internet service availability this year[1]. As such the call for effective solutions is clear, and the bottom line for ISPs is that there has never been a more opportune moment to enter the MSSP space.