Many services start out by offering high differentiation like commercial Internet access did in the mid-to-late 1990s, HD TVs in early 2000s, 4G mobile Internet in the early 2010s, and smart TVs in the mid-2010s. Those markets were destined to become more crowded and the services and products less differentiated. As distributed denial of service (DDoS) attacks have increased in number, complexity, and impact over the last few years, so has the number of DDoS mitigation service providers—in fact, there are a lot of them. Is DDoS mitigation now a commodity?

In a word, no. Does the hardware leveraged by the mitigation platform still make a difference? Yes. Do all providers use the same hardware? No. Does mitigation capacity still matter? Yes. Do all providers have the same malicious traffic scrubbing capacity? No. Can all providers handle multiple large (200Gbps+) attacks simultaneously? No. Does experience matter? Yes. Do all providers have the same underlying DDoS mitigation philosophy that influences their offerings? No. Some providers feel that cloud-based mitigation is all a customer needs while others feel that cloud-based mitigation can ideally be complemented by customer premise-based appliances in some situations. Do all providers offer equivalent flexibility and functionality where they are able to protect cloud-based, colo-based, customer premise-based, or CDN-based content equally well? No.

Many gaming platforms as well as social coding sites in early 2015 would certainly agree that the DDoS mitigation platform used does matter and does affect the success of the mitigation. The large properties just referenced were protected by DDoS mitigation services yet still experienced major performance issues. How could that be if DDoS mitigation is just a commodity? What is at risk? Isn’t DDoS just white noise? The answer is, the reputation of the business is at risk. Having the availability or performance of a highly visible service or resource impacted by a DDoS attack suggests that the company is not prepared from a security perspective and that the lack of preparation may extend into other security-related areas such as their customers’ personally identifiable information (PII) or their own intellectual property (IP). Indeed, many DDoS attacks are launched as a smokescreen to divert security resources, both human and hardware, from an intrusion attempt. Many studies (that are searchable) illustrate the direct revenue loss possible due to a DDoS as well as the indirect loss due to increased stress on Support, Public Relations, Security, etc. Here’s a hint: estimates range from mid-$10k to $100k per hour of downtime.

Is DDoS mitigation a commodity? Can your organization afford to treat it as a commodity? While these questions may be answered above, it is also apparent that this is a maturing market that must become more proactive and analytical. There are too many easy avenues for attack—and too few incentives for the targeted parties to patch their exploitable vulnerabilities (NTP servers, recursive DNS servers, SNMP-accessible devices and especially SSDP-vulnerable home routers)—to expect the DDoS threat to lessen. There is always room for disruptive, inventive solutions and complementary services (e.g., threat intelligence and security analytics). Trusting in the implementation of BCP38 and viewing all services as the same seem like frivolous luxuries that IT cannot afford.

The point is that the DDoS threat environment is constantly shifting and changing as attacks become larger, and more complex and destructive. Blanket mitigation techniques and services cannot stay abreast of this continuously morphing threat to your business. It requires expertise, state of the art technology, and ironclad processes that align defense policies to specific requirements and contingency plans.

DDoS… a commodity? No. Room for growth? Certainly!