Recently I was talking with the CIO of a sizeable hosting company and during our discussion about his security practices I asked him what his company does to mitigate DDoS (Distributed Denial of Service) attacks. He answered jokingly, “We sacrifice a chicken every morning.”
As humorous as his answer is, it’s an accurate commentary of the challenges of DDoS mitigation for providers, both hosting/cloud as well as internet/business service providers. As he and I talked about the challenges, we hit on common themes I’ve heard from many provider customers:
1) Existing DDoS services are extremely expensive, so much so that providers cannot recoup the costs in monthly recurring revenue
2) Outsourcing this service means they are trusting their customers’ security to an external company
3) Due to the emergent nature, they are concerned about the complexity of creating a DDoS service in house
Considering those three factors, some providers simply cross their fingers and hope that it doesn’t happen to any of their critical customer traffic or their own IP space. This is a bit like living next to the Mississippi River and simply hoping that it will never flood… or more pointedly, just not in your neighborhood.
What’s really the root cause of this situation? I think there are several factors. DDoS attacks are simple to create and yet crippling to the targeted company. I just looked online and perused the going rate for renting botnets that can be used to initiate DDoS attacks. Yep, I don’t even have to pay for them… I can rent by the hour. As reported by technology media, I can also buy a kit to help me craft my own attack. This ease of creation coupled with a low cost means that these attacks don’t require a brilliant hacker toiling away on a keyboard at 3am while drinking a Mt Dew. Anyone can create an attack; literally, anyone. Download, click click, aim…fire.
I see you over there, Enterprise Customer, shaking your head and thinking, “It’s okay, I’m not a financial institution. Nobody will attack me.” *Pop* That’s me bursting your bubble. Like all security breaches, customers hate to publicly admit that they’ve been compromised, but numerous research reports have validated that attacks are occurring across multiple industry segments with a rapidly increasing frequency and scale. For those of you with a trusting nature who believe your providers are protecting you at no charge, I’m going to refer you back to the chicken comment. 🙂
Like any new challenge, you should weigh the cost to protect yourself against the potential costs of an attack. This includes explicit costs such as websites being out of service as well as the soft costs such as loss of customer trust. You wouldn’t consider operating your business without fire insurance for your building, even though the threat is statistically small. Why not? Because we all know inherently that if it happens, it will be catastrophic.
Consider creating a DDoS mitigation strategy soon… do it for the chickens.