Photo found here https://unsplash.com/photos/ZEDvSzgS4FA
Internet service providers have good reason to provide their users with DDoS protection services.
ISPs with a better track record of mitigating DDoS attacks enjoy a better reputation for security, which improves sales and allows them to charge more. They can then use their increased earnings to invest in better DDoS solutions. The cycle reinforces itself.
This, at least, is a simplified version of how things should go. In practice, however, ISPs are rarely able to provide best-in-class security to their users.
While DDoS protection is an important value-add for ISP providers, cybersecurity is not their core expertise. This leads to understandable compromises that impact the quality of the security they can offer.
In this webinar Imperva experts talk about some DDoS risks and some case studies.
Not All DDoS Attacks Are Made Equal
Imagine all the cybercriminals in the world shared a single DDoS attack strategy and never changed their approach. In this scenario, a single DDoS mitigation solution would be enough to guarantee users’ protection.
But there are many different DDoS attack approaches, types, and motivations. The cybercriminals who perpetrate these attacks span the range from opportunistic vandals to sophisticated state-sponsored professionals using state-of-the-art equipment.
The difference between an ISP-based solution and a specialized cloud-based solution is similar to the difference between a simple home burglar alarm and a professionally installed home security system that calls 911 for you the moment it detects an intruder.
Choosing a purpose-built cloud-based DDoS protection system allows users to enjoy protection from the largest and most sophisticated cyberattacks. It turns out that ISP-based attacks are often vulnerable against the very attacks they are supposed to mitigate.
Large-Volume DDoS Attacks Can Overwhelm On-Premises DDoS Mitigation Solutions
Most current ISP-based solutions work by monitoring and analyzing traffic for signs of DDoS activity, carried out at a single link connecting the victim and its ISP. While this approach has been shown to deliver results when dealing with small and medium-sized DDoS attacks, the “single-point” mitigation strategy creates a bottleneck that can allow cybercriminals to surpass the memory and computational power of the DDoS mitigation solution, if they have enough resources.
Most ISPs are not able to equitably distribute these attacks across multiple points of presence within their network, making it difficult to defend against the largest attacks.
The big problem with this approach is that DDoS attacks have been steadily increasing in size for years, and are now larger than ever. The latest data shows a 180% increase in DDoS attack sizes between 2018 and 2019, with the largest hitting data transfer rate measured in hundreds of gigabits per second. These attacks are far too large for a single-point on-premises DDoS mitigation solution to handle.
Why ISPs Can’t Offer the Same Results as a Cloud-Hosted System
Many ISP providers will often opt for a “clean pipe” solution that blocks volumetric attack traffic before it enters the organization’s network. The effectiveness of this system is highly dependent on the location of the on-premises server doing the scrubbing.
With an on-premises solution at the ISP level, that limits the physical location of the scrubbing center to the data centers that are already part of the ISPs infrastructure. Setting up a global content delivery network (CDN) for best-in-class DDoS mitigation is not viable for an ISP whose core value is delivering fast Internet connections to its users.
DDoS Mitigation Is Not Their Core Value and Expertise
Organizations can become the victims of collateral damage when ISPs fail to respond effectively to massive DDoS attacks. Even if the ISP’s solution is robust enough to prevent a total outage, latency becomes a serious issue when the greater part of the ISP’s infrastructure is dedicated to fighting DDoS attacks in real-time.
There is an inherent trade-off between utility and security. Every digital resource dedicated to defending against the attack is a resource not dedicated to serving legitimate users.
ISPs Do Not Always Know Their User’s Applications
ISPs do not generally have the ability to build profiles of their users’ web and app-based applications. They may not have the insight necessary to distinguish between normal HTTP, secured HTTP, and APP-based data transfer rates and behaviors.
Without committing fully to a proxy-based web application firewall solution, there is no way to prevent legitimate users from being blocked during the mitigation of a DDoS attack.
Many organizations have compliance requirements that specifically prohibit them from implementing DDoS mitigation strategies that cannot make these kinds of distinctions. For these organizations, a customizable cloud WAF solution is the only solution they can consider.
SSL Inspection is Expensive in Terms of Latency
ISPs do not want to increase latency for their users, yet they have to perform some level of SSL inspection in order to protect against SSL DDoS attacks. This creates another trade-off situation where the user’s security may not take priority over the economic profitability of offering users latency-free operation.
Maintaining an SSL proxy for always-on decryption is expensive in terms of latency. Most on-premises equipment tries to mitigate this expense by challenging SSL responses only when actively under attack. This kind of approach guarantees compromise, risks overprovisioning expenses, and potentially creates additional compliance issues for organizations.
“Blackholing” Traffic Cuts Off Legitimate Users
Routing traffic away from the intended target in order to avoid exceeding uplink capacity can help mitigate DDoS attacks. However, the “blackhole” method will block traffic indiscriminately, keeping legitimate users away from the websites and apps they are trying to access. Many ISPs rely on this method because they do not have a viable way to improve their existing infrastructure the way a dedicated cloud-based security provider like Imperva can.
This approach effectively blocks out legitimate users in the process of mitigating an attack, whose sole purpose is blocking legitimate users. Instead of the cybercriminals doing it, the ISP does it on their behalf, defeating the point of mitigation for that group of users.
DDoS attack can vary in type
According to Wiki: “In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.”
This can happen on any layer of OSI or TCP/IP. ISP’s in general look for attack payloads in layer 3 or layer 4. Since they don’t do SSL offloading, they have no visibility in the HTTPS request payload. This leaves the applications vulnerable to a packet having malicious HTTPS payload which might result in a layer 7 DDoS.
ISP’s lack even simple techniques of rate limiting
Have you ever sent an incorrect page request to your site? What happens? You most likely receive a “404 page not found” error message. That error message is generally served by your webserver. Now imagine sending a billion such incorrect requests. Note that these are perfectly valid requests with no malicious payload. So a WAF won’t trigger any rule on it, but still it has the potential to bring down your web server because it would be too busy sending 4xx.
Due to lack of functionalities like rate limiting on HTTP/HTTPS requests, ISP’s aren’t able to prevent such attack types. Some which do offer rate limiting perform such rate limiting just based on IP and if traffic breaches pre-defined thresholds, then both legit and illegit traffic gets denied.
Lack of DNS protection
DNS amplification which is a type of DNS reflection has been used on Kerbs and on Dyn in the past. DNS service is a point of failure for Internet services. When you take down a DNS server, you take down all the services which are dependent upon it. Also, since DNS is UDP based, it allows spoofing, has modest resources to generate attacks due to connection less protocol, and allows for an attack amplification technique - 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.
ISP’s do not generally have a way to replace your name servers, thus leaving your DNS servers vulnerable.
Imperva’s Cloud-based DDoS Protection Offers Global Protection
Imperva maintains a global content delivery network that ensures best-in-class latency while mitigating even the largest DDoS attacks close to their source. This kind of performance is beyond what even the best-equipped ISPs can provide, because Imperva’s core expertise and value is not in providing internet services to users – it is protecting users against cyberattacks.
Learn More with Imperva Community
The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like WAF Gateway, Data Risk Analytics, Database Activity Monitoring and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.
Other Relevant DDoS Content
What Kind of Data Does Imperva Use to Generate Attack Signatures?
DDoS Attacks: How Imperva Mitigates Increasingly Powerful and Sophisticated Attacks