The Business Case for Managed DDoS Protection

Brian Partridge, Yankee Group, Aug 2011


Enterprise Security Threats Are Growing in Size, Frequency and Sophistication

Today’s security professionals find themselves in a very different environment compared with even a few years ago. The proverbial teenage hacker is a quaint and distant memory; today, organizations routinely face distributed denial-of-service (DDoS) attacks by competitors, organized crime and activists (see Exhibit 1). As cyber-security threats increasingly focus on strategic data assets, the risks become even greater. The sophisticated tools at the disposal of today’s cyber criminals put an entire organization at risk, with serious consequences to brand and product viability, as well as direct and indirect financial impact. Cyber-security is no longer just an IT consideration; it’s a must-have for every corner of the modern business operation. In short, attacks have gone from broad-based, untargeted threats with nuisance-level impact to highly targeted and sophisticated attacks that can swiftly put enterprises out of business.

Exhibit 1: DDoS Attacks Are Growing in Complexity, Volume and Motivation
Source: Yankee Group, 2011

ddos attacks growing in complexity

Today, most enterprises rely on the Internet in every conceivable way. They use Web sites to promote their brands, e-commerce platforms to sell their products and e-newsletters to keep customers informed. Employees use it to make phone calls, send e-mail and instant messages, and update social media platforms such as Twitter and Facebook for business purposes. As more operations become dependent on the Internet, the risks associated with DDoS attacks increase. In addition to crippling operations, these strikes fuel doubt about internal infrastructure, stability and security practices. And the ramifications are great. Blogs and tweets about such attacks begin in real time and quickly become part of the Internet’s permanent record. The potential for damage to a company’s brand is lasting and incalculable. These risks are exacerbated for smaller organizations that lack the resources and internal staff to adequately defend assets against DDoS attacks themselves. This whitepaper provides a snapshot of the evolving DDoS threat, provides guidance on what to look for in a managed DDoS solution and presents a financial cash-flow analysis scenario of an investment in a managed DDoS protection service.


For this report, Yankee Group conducted interviews with network operators, specialized service providers and equipment vendors. These interviews provided a basis for our qualitative and quantitative analysis while also informing our review of past, present and future trends in DDoS attacks. In the course of conducting this research, it became clear that not only were DDoS attacks growing substantially, but as a result, so was interest in solutions.

DDoS Attacks Are Bigger and Badder Than Ever

DDoS attack frequency and volume has increased substantially over the last two years (see Exhibit 2). According to Arbor Networks’ 2010 Infrastructure Security Report, 69 percent of network operators surveyed reported at least one attack per month, while 35 percent reported 10 or more per month, up from 18 percent in 2009. More frequent attacks are the result, at least in part, of a growing array of attackers with a wide range of motivations, including:

  • Organized crime. Using DDoS attacks for extortion is not new. Historically, such attacks were primarily targeted at online gambling sites, but more recently retailers have become targets as well. In either case, the attacker launches a sample attack prior to a major sporting event or holiday, and then demands protection money to ensure it doesn’t happen again. Providers also report evidence of competitive attacks (e.g., one retailer arranging to have a competitor attacked during the holiday shopping season or around a major product launch).
  • Politics. Attacks like those in 2009 during the Iranian election and around July 4 against a range of U.S. government targets contribute to a growing body of evidence that governments are sponsoring attacks for political motivations. Cyber-security pundits fear not only increasingly large and sophisticated DDoS attacks, but also multifaceted attacks in which DDoS is just a component or a diversionary tactic to cloak something more sinister.
  • Hactivism. The WikiLeaks incidents are the latest example of attacks being used to promote hactivist agendas. Why risk a dangerous protest if you can garner publicity for your cause from the comfort of your couch? The combination of freely distributed point-and-click attack tools and social media as an organizing mechanism is making activist attacks easier than ever. A recent example from the news is LulzSec, a group of expert hackers who targeted Sony, Nintendo and PBS. Although it publicly claimed it ceased operations, another group named Anonymous boasts an even larger army of hactivists quickly ready to pick up where LulzSec left off. This group recently targeted key government agencies such the C.I.A., U.S. Senate and major brands such as Sony and AOL.

While DDoS attacks used to be primarily targeted at household names and other obvious targets, nowadays any organization with money to lose, political interests or activist enemies—effectively anyone—is a potential target and should consider protection.

Exhibit 2: DDoS Attacks Continue to Grow
Source: Arbor Networks’ 2010 Infrastructure Security Report

DDoS Attack Size Over Time

DDoS Attacks Are Becoming More Sophisticated Every Day

Though basic DDoS floods remain an issue, attackers today are a lot more sophisticated, requiring providers to become increasingly resourceful in their countermeasures. Not only are there more DDoS attack types in the modern arsenal, attackers have learned to adapt their tactics, morphing attacks to outwit countermeasures as soon as they’re in place. Today’s DDoS attack kit includes:

  • Basic volumetric attacks. From the equivalent of clicking reload really fast on a bunch of browsers to Internet Control Message Protocol (ICMP) floods, attackers have tried different protocols and leveraged botnets (legions of compromised computers) to generate enormous amounts of highly distributed traffic.By overwhelming the target with these bogus requests, volumetric attacks make it impossible for legitimate requests to receive a response.
  • Dynamic attacks. In the old days, attacks would be a simple flood, maybe of a new protocol, but once the provider identified the attack and characterized it, it could implement protection and get on with its life. Not anymore. Providers report that dynamic attacks—those that change their attack mechanisms,rotate different botnets in and out of use, and vary their targets—are becoming more common.
  • Asymmetric attacks. These attacks make small bandwidth requests that result in large processing requirements for the target. For example, requests for images, movies or other downloads are quite small, but they create a lot of work for the target server. Attacks that generate a bunch of these small requests can result in denied service, but in such a way that they don’t trigger detection mechanisms looking for huge variances in incoming traffic volume.
  • Infrastructure attacks. While many early attacks targeted just Web sites, many other infrastructure components can be directly overwhelmed to yield the same loss of service. Modern attackers target domain name system (DNS) servers, e-mail servers, APIs, firewalls, load balancers and other infrastructure components to evade detection and complicate mitigation. DNS attacks are multifaceted because DNS is the foundation for all Internet-based infrastructure traffic routing; when DNS is down, so is everything else.
  • Application attacks. Attackers are also moving up the stack and targeting applications directly to deny service in a way that evades current protection mechanisms. For example, a Slowloris DDoS attack achieves stealth by sending partial connection requests to the target in an effort to fill the maximum connection pool and thus deny service, while using minimal bandwidth and having little direct impact on unrelated services and ports.
  • Cloud-based attacks. Although attacks through cloud providers have yet to become commonplace, security pros are worried about the potential for DDoS attacks from compromised cloud services. After all, the ability to rapidly scale up traffic is a key strength of cloud platforms. Compromised cloud provider accounts would make a great botnet.
  • Attack tools. Not only have attackers come up with a bunch of attack types, they’ve created a series of freely distributed point-and-click attack generators to make it easy for even the most novice computer user to launch an attack. Consider the open-source Low Orbit Ion Cannon (LOIC) tool: With a click of the mouse, it lets users set a target, an attack type and various other options. These tools combined with botnets for hire mean very little skill or infrastructure is required to construct a highly effective and powerful DDoS attack.

Traditional Premise-Based Systems Are Ineffective Against Large-Scale Attacks

When it comes to keeping out spam, infiltrators or malware, enterprises can go it alone and still protect themselves from most security threats. DDoS attacks are different. When a user downloads a virus, worm or Trojan (or it penetrates a gateway security device), intrusion detection systems (IDSs) can issue alerts about those attacks and intrusion prevention systems (IPSs) can block them—if you have enough confidence in the detection signature and if these in-line devices are on the same segment as the security breach. However, these solutions don’t effectively address non-signature threats or mitigate against network saturation attacks like DDoS. Existing tools cannot keep up with the increasingly dynamic and polymorphic threats. Some of the threats, such as Internet route hijacks, which take place beyond the organization’s network perimeter, and zero-day exploits, which put the organization at the mercy of the software vendors’ patch update policies, are outside an organization’s control and thus virtually indefensible.

As a result:

  • Edge protection is ineffective. Edge resources near the target, such as IDS/IPS/firewalls, can be overwhelmed fairly easily, rendering protection there irrelevant.
  • Managed services are a strong solution. DDoS protection is one of the very few security requirements organizations can only address via a managed service from an upstream provider with cloud-based identification and protection assets.

Mitigation techniques, such as investing in perimeter-based hardware or over-provisioned bandwidth, are helpless in the face of increasingly large assaults. In fact, a handful of novices armed with free downloadable software, home PCs and cable modems can saturate most organizations’ Internet connections and take them down.

Small and Midsize Enterprises Are Particularly Vulnerable to DDoS Attacks
Just as large enterprises, major consumer brands and government agencies are seeing DDoS attack traffic rise motivated by politics or profit, small and midsize enterprises are also seeing an uptick in the number of DDoS attacks they encounter. Smaller enterprises are even more vulnerable because they do not have the human and capital resources to invest in DDoS countermeasures. Two key factors to keep in mind are:

  • It’s a misnomer to believe that hactivists only target the largest enterprises or most popular brands.  Any business can find itself in the cross hairs of a hactivist based on one poor experience or one person’s whim or disagreement—the tools to execute a massive DDoS attack are readily available to any amateur with a browser and Internet connection. Malcontents can do so in protest, to draw attention to a complaint or to simply claim bragging rights within their hactivist circles.
  • Exacerbating small and midsize enterprise vulnerability is their lack of resources to adequately deal with cyber threats and the increased chance they will be targeted because they have poor security countermeasures. If hactivists are successful in disrupting operations, they are more inclined to sustain their attacks—many attacks last for several days. The most nefarious cybercriminals use a company’s attack vulnerability to extort payments to stop an attack.

The IT Environment Has Changed

At the same time the threat atmosphere is escalating, the IT environment around security is becoming more challenging. Staffing remains tight and trends from cloud computing to bring your own device (BYOD) continue to erode IT control. As a result, while security pros struggle to address an increasing array of threats from a broader range of actors, they must also wrestle with:

  • An evaporating perimeter. In an era where a breach at a digital marketing agency you don’t even use anymore means you have to send notification letters to millions of customers, where is your perimeter? Firms are adapting by complementing perimeter-oriented security controls like firewalls with other measures, like data leak prevention. Going even further by detecting the presence of your sensitive data in the public domain (“the cloud”) or other attack artifacts like DNS tinkering is the next logical step.
  • Mounting compliance requirements. Many firms have invested in people, technology and processes to take compliance requirements like Sarbanes Oxley, Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA) in stride. But existing requirements aren’t static; auditor interpretations change and organizations continually face new requirements on a state, federal and industry level, particularly around compromise disclosure. Firms risk making matters worse if they let the compliance tail wag the security dog, particularly in light of today’s escalating threat environment.
  • Gaps in staffing. Maintaining the right skill sets on security teams is tough even in a good economy. In leaner times, additional, high-paid staff is a tough sell. Coping with managed security services and other outsourcing/augmentation strategies makes more sense then ever.
  • Fighting against the odds. To further compound the challenge, a new breed of threats is emerging that requires only a single entry into an organization’s network to cause massive damage, making detection more difficult and the potential for destruction more devastating. Security defenses have to be right thousands of time per day; attackers have to be right only once. (One has to wonder that for each of the well-publicized attacks, how many others have gone unannounced or even undetected by the victim organizations?)

Managed DDoS Protection Provides an Insurance Policy Against Disaster

These factors combined with recent high-profile service outages at some highly secure organizations prove that enterprises should assume an attack is inevitable. A rapid and decisive response can mean the difference between a contained, relatively minor incident and a major disaster that threatens an organization’s future.

Fortunately, a range of solutions is emerging to provide DDoS attack response capabilities previously unavailable to organizations. These solutions pair internal security context with massive cloud-based security capabilities of specialized DDoS mitigation technologies—a combination enterprises simply can’t obtain on their own.

Of particular interest are offerings from infrastructure players like DNS providers such as Neustar, which, by virtue of their role in the Internet ecosystem, are security specialists. As a result, these providers offer security capabilities and intelligence that most organizations don’t have and never will. While these managed security services are an exciting and evolving category that is sure to expand and develop over time, a few capabilities have emerged that are of particular interest to organizations struggling to address today’s emerging threats. In particular these functions include:

  • Early warning of looming attacks. Attackers pretty much never just show up out of the blue, cause damage and leave. Rather, attacks play out over time as the bad guys probe defenses, compromise systems, look for valuable data, test attack types and so on. Infrastructure providers are in a unique position to see attack artifacts—like DNS cache poisoning or malware command-and-control communications—that are typical precursors to a data theft or other attacks. By proactively monitoring for these artifacts, security providers can work to protect customers before losses occur.
  • 360-degree visibility. The new class of service providers can monitor all of an organization’s internal traffic (inside the firewall perimeter) as well as its external traffic, including its network ecosystem—vendors, partners and customers. This comprehensive view of vulnerabilities is absolutely required to stay ahead of actual breaches because attackers will exploit any weak point in an organization’s security defenses.

Managed DDoS Protection Solution Requirements

That said, managed DDoS services are not all created equal. The best services include:

  • Sophisticated detection. Rapid and automated detection of volumetric attacks is table stakes for DDoS protection services. All providers must be able to quickly and automatically identify threats like the huge increases in ICMP traffic that characterize routine DDoS attacks. To deal with the latest threats and differentiate offerings, providers are getting more granular with their detection capabilities and moving up the stack to analyze traffic for application-level threats. Level of importance: High
  • Advanced trace back and source-based filtering. The ability to characterize and trace attacks to the point of network ingress is necessary not only to minimize congestion in the network core, but also to reduce reliance on over-provisioning and scrubbing (sorting out legitimate traffic from attack traffic) to soak up attack volume. After all, attacks originating from Asia can be difficult to tease out and filter from the mass of traffic at a North American peering point on a provider’s network. With fingerprint characterizations, providers can easily continue trace back of these attacks to the source IP addresses in the country in question and implement precise filters.Level of importance: High
  • Diverse and robust mitigation. Attackers will continue to devise widely distributed, stealthy attacks that attempt to blend in with legitimate traffic. So while providers can, should and will come up with ever more creative ways to block, filter and rate-limit attacks, some measure of over-provisioning will sadly always be required. Smart customers will do the math and rate providers on their ability to withstand large brute force attacks and the amount of diversity a provider has in its arsenal to fight attacks. Competing with attackers on bandwidth alone, however, is a lousy arms race, since bandwidth costs providers money but is “free” for attackers. As such, service providers continue to innovate with mitigation techniques. For example, nearly all providers have regional mitigation centers where attack traffic is re-routed for scrubbing. Level of importance: High
  • Real-time and historical data analysis. Service providers must have access to real-time global threat data as well as historical infrastructure data such as recursive and passive DNS for intelligence analysis. Any infrastructure-based security solution must be able to cross-reference historical data sources with existing threat data in real time to ensure both early warning and timely response to impending threats. Level of importance: Medium
  • Trusted and neutral solutions. Any provider of infrastructure-based security solutions must have the trust and neutrality required to share anonymized threat data about a specific organization that may affect several industries and require coordination and cooperation among many entities, some of whom may be competitors, for effective response.Level of importance: Very High
  • Massive scale and speed. Providers must demonstrate the capability to ingest, store and analyze massive volumes of data at scale with no errors to minimize false positives.Level of importance: High
  • Ecosystem awareness. Any managed DDoS solution must go beyond monitoring just the primary organization to include the ecosystem of end-users to which it has exposure. This ensures the organization is not negatively affected by security policies or missed attack vectors.Level of importance: High

By adding security prowess and intelligence enterprises can’t get on their own, these services extend enterprise threat intelligence, detection and response capabilities beyond the four walls of the organization and into the cloud, while also providing needed protection against emerging infrastructure attacks. Time is of the essence in mitigation against DDoS attacks. Signing up for a DDoS mitigation service after an attack has already begun is extremely expensive and typically means public-facing downtime has already happened.

Neustar Adds Advanced DDoS Protection to Its DNS Service Suite

Neustar SiteProtect is one example of an on-demand DDoS mitigation service. It can supply the bandwidth and flexibility to repel today’s massive attacks, many of which are estimated to be as large as 100 Gbps. Neustar’s service is activated through DNS or BGP redirection of Internet traffic to a series of global scrubbing centers, where attack traffic is identified and subsequently scrubbed, allowing clean traffic to flow to the enterprise infrastructure. The Neustar service dynamically distinguishes legitimate traffic from attack traffic by utilizing dedicated DDoS mitigation equipment from multiple vendors including Citrix Systems, Cisco, Arbor Networks, Hewlett-Packard, RioRey and Juniper.

Neustar supplements its partners’ infrastructure with proprietary DDoS mitigation capabilities to create a superset of DDoS-fighting tools that can support advanced scrubbing algorithms. Neustar’s service is supported by a 24x7 U.S.-based customer support team, network operations center and security operations center (SOC) to manually fine-tune these resources.

Neustar’s network of global scrubbing centers has significant capacity and more is added on a regular basis. It can provision SiteProtect to defend most standard TCP-based applications, including Web sites, e-mail servers, APIs and databases. When combined with Neustar’s UltraDNS service and Webmetrics monitoring service, SiteProtect can defend a customer’s Internet ecosystem with a collaboration of technologies backed by a single large public company. Neustar charges a small fixed monthly fee plus a variable on-demand mitigation cost when the need arises. It does not charge based on attack size as part of its standard DDoS mitigation package.

Managed DDoS ROI Case Study: Midsize Retailer

Managed DDoS protection for midsize enterprise customers can pay for itself within a matter of days or even hours when compared to the cost of potential losses associated with a successful DDoS attack. The transactional volumes of an e-commerce site, loss in employee productivity, intangibles such as brand equity and legal liabilities, as well as technical staff time required to restore an attacked site should all be considered when determining the fiscal impact of any DDoS-related downtime.

To investigate the operational benefits of using a managed service to address DDoS protection, Yankee Group developed a five-year financial business case model based on a typical midsize retail enterprise (see Exhibit 3). Our model uses standard list prices for Neustar’s SiteProtect solution and takes extremely conservative assumptions on DDoS attack frequency and growth patterns.

Exhibit 3: Managed DDoS Financial Analysis AssumptionsSource:
Yankee Group, 2011

DDoS Attack Cost Financial Analysis

The key takeaway from this analysis is the importance of catching the first DDoS attack. In our model, we assume that after this company is attacked once, it takes the necessary steps to identify and mitigate future attacks. Thus, net benefits are actually the same after Year 1 (see Exhibit 4 on the next page). In Year 1, however, the model shows us that investing in managed DDoS protection provides a net cash flow benefit of $98,500. If a DDoS attack is successful, the impact in Year 1 is a negative benefit of $158,000. Therefore, investing just $2,000 upfront gives the company the potential to save nearly $250,000 in addition to the protection it affords from negative brand impact associated with unplanned downtime. The risks are just too high and barriers to entry to execute attacks too low to operate without managed protection in place.

Exhibit 4: Five-Year Cash Flow Analysis of Managed DDoS vs. Unprotected in Year I
Yankee Group, 2011

ddos managed protection

Conclusion: Enterprise Security Techniques Need to Evolve Faster Than Threats

Maintaining enterprise security today is harder than ever and is perhaps impossible without security intelligence beyond an enterprise’s four walls. At the same time IT organizations grapple with ongoing decentralization and consumerization, threats are escalating as new attack types emerge and new actors—like organized crime and hactivists—get more focused and determined. Recent public-facing downtime at highly secure and sophisticated targets suggests that successful DDoS attacks may be inevitable without cloud-based protection. The landscape of threats dictate that IT security strategy evolves from a strategy of prevention to one that acknowledges the inevitability of DDoS attacks. Fortunately, a new class of cloud-based security services is emerging in the marketplace that will alleviate some of the pressure. As our basic financial analysis makes clear, a managed DDoS service investment can pay for itself as soon as the first attack occurs.

Download PDF