In 2012, a series of large banks in the U.S. began experiencing distributed denial of service or DDoS attacks. What was particularly unique about these attacks–later attributed to Iran–was that the attackers were posting online their target banks and the timing for the attacks.. Despite knowing when the attacks were coming, the banks were largely defenseless against the large, sophisticated attacks. The attacks went on for a period of six to nine months.
In 2012, most DDoS attacks targeted the financial industry, but the attacks have since become widespread across most industries from government agencies to local schools. A large attack on Dyn took down sites including Amazon and Netflix and a french hosting vendor also saw a large attack.
While these large attacks may dominate the headlines, they’re not what dominates the DDoS landscape.
“This is not the mainstream stuff, most of you won’t deal with an attack this size,” said Lawrence Orans, research vice president, at the Gartner Security & Risk Summit 2017. Most attacks are in the 20 to 30 Gbps or less range, while the larger attacks have been reported at 1.2 terabits per second. There are really two types of attacks occurring, volumetric and application-based. While enterprises should be protected against both, volumetric is the simpler and more common attack.
However, DDoS attacks have seen an almost yearly evolution with the most recent focus being IoT. Enterprises should look into mitigation options as a way to protect and defend against these attacks.
The most common DDoS mitigation option is a scrubbing center. In the event where an enterprise with a scrubbing center detects any DDoS traffic, they can choose to divert all their traffic–good and bad–to the nearest scrubbing center. There, the bad traffic is scrubbed out, and the good traffic is sent on to the site. This option is good for multi-ISP environments and can be used to mitigate both volumetric and application-based attacks. For those who have scrubbing centers but would like more protection, some vendors will actually place a device in your data center, but the cloud-based option is more cost-effective.
ISP- Clean Pipes Approach
The second option has DDoS mitigation as a feature. The ISPs have their own scrubbing centers internally, and for a premium will monitor your site and mitigate attacks. In this circumstance, the ISPs operate as a one-stop-shop for bandwidth, hosting, DNCs, and DDoS. Quality will depend on the experience level of the ISP, some have been offering this for a while, and others are just getting into the game. Some ISPs won’t offer this option at all.
Content Delivery Network Approach
Big content delivery networks (CDNs) will have over 200,000 servers caching globally and pieces of the website are distributed or cached all over the world. This creates a better experience with less latency for users. However, it can also be a good mitigation technique because the website is distributed globally on multiple global servers instead of one origin server, which is more challenging to take down. This is a good option for enterprises that are already CDN customers as there is preparation that needs to be done ahead of time to even use the CDN.
Gartner clients can read more in the full research DDoS: A Comparison of Defense Approaches.
Digital Risk & Security Hub
Visit the Gartner Digital Risk & Security hub for complimentary research and webinars.
Gartner Security & Risk Management Summits 2017
Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2017 taking place in Tokyo, Mumbai, India, Sao Paulo, Sydney London and Dubai. Follow news and updates from the events on Twitter at #GartnerSEC.