ANALYST BRIEF

Why Is DDoS Prevention a Challenge?

PROTECTING AGAINST DISTRIBUTED DENIAL-OF-SERVICE ATTACKS

Authors – Andrew Braunberg, Mike Spanbauer

Overview
Over the past decade, the threat landscape has changed as more and more enterprises and large organizations
have moved their mission-critical services online. Competing in global markets driven by just-in-time demand,
these enterprises rely on continuous uptime to perform business transactions on a 24/7/365 model.

This shift in the business model has, however, engendered a new breed of cyberattacks designed to limit access to
these resources. Although distributed denial-of-service (DDoS) attacks technically are not new, they are more
effective today than ever before. The relative ease with which DDoS attacks can be launched, the diverse methods
by which such attacks can be executed, and the amount of damage that can be caused by a single attack make
DDoS attacks a challenge to defend against. Such attacks have proved an effective way to wreak havoc, causing
high-profile outages and interruptions to transaction processing. They can be motivated by a wide range of factors,
and the acts of taking down websites or blocking financial transactions are effective ways to make statements or
cause visible, potentially far-reaching business disruptions.

As enterprises look to defend against DDoS attacks, they are turning to DDoS prevention solutions, which offer
protection against the different categories of DDoS attacks, and which can take the form of on-premises devices or
managed services. Many vendors have entered the DDoS prevention market in recent years, and their solutions
should be evaluated carefully.
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

NSS Labs Findings

 DDoS attacks continue to be one of the most difficult attack vectors to counter.
 The range of attack methods is growing and diversifying as prebuilt toolkits, and even DDoS attack services,
are made more readily available.
 The widespread availability of attack resources gives the general public the ability to participate in “digital
riots.”
 Firewalls and other security devices are mistakenly viewed as adequate protection against DDoS attacks.
 Mitigation against DDoS attacks requires a multifaceted approach that involves network design, traditional
security products (for example, intrusion prevention devices [IPS] and firewalls), contingency planning, and
dedicated DDoS prevention solutions.

NSS Labs Recommendations

 Evaluate the current network design and security posture within an organization in order to identify
applications that could easily be overwhelmed by malicious attacks or spikes in traffic.
 Establish traffic baselines in order to better determine the extent of abnormal traffic patterns.
 Test network infrastructures, applications, and servers against the diverse DDoS attack methods used today
(volumetric attacks, protocol attacks, application attacks, or a combination of the three) in order to
understand the limits and weaknesses of the network.
 Consider multiple mitigation techniques and products when creating a strategy to address DDoS attacks.
 Evaluate DDoS prevention solutions in the same manner as other critical security infrastructure components
to ensure that the solution itself does not become a vulnerability to the network.

2
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Table of Contents
Overview............................................................................................................................... 1
NSS Labs Findings .................................................................................................................. 2
NSS Labs Recommendations .................................................................................................. 2
Analysis ................................................................................................................................. 4
The Need for Increased DDoS Protection ..................................................................................................... 4
Ease of Initiating an Attack ....................................................................................................................... 4
Why DDoS Protection Is a Challenge ............................................................................................................ 5
Difficulty in Managing Legitimate Spikes Versus Attack Traffic ................................................................ 5
Requires Increased Architecture, Infrastructure, and Expertise ................................................................ 5
Wide Range of Attack Types and Techniques............................................................................................ 5
DDoS Attack Types and Evasion Techniques ................................................................................................ 6
Evasion Techniques.................................................................................................................................... 7
DDoS Prevention Solutions ........................................................................................................................... 7
Inline Protection ........................................................................................................................................ 8
Out-of-Path Protection .............................................................................................................................. 8
Performance Metrics for DDoS Prevention Solutions .................................................................................. 8
Performance Under Attack ........................................................................................................................... 8
Other Security Requirements ....................................................................................................................... 9
Management and Configuration................................................................................................................... 9

Reading List ......................................................................................................................... 10

Contact Information ............................................................................................................ 11

3
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Analysis
As network bandwidth has increased and as critical assets have moved online, prevention of DDoS has become
increasingly important for the enterprise. The January 2016 attack against the BBC clearly illustrates the damage
that can be done with widely available DDoS tools and services.1 The BBC turned to DDoS protection vendor
Akamai to help mitigate the attack when its infrastructure was overwhelmed. Whether turning to service providers
or purchasing devices in-house, organizations are considering their options for DDoS prevention. From evaluating a
product’s effectiveness in mitigating attacks to ensuring that traditional enterprise-class infrastructure features are
in place, organizations must carefully assess different solutions to ensure that DDoS prevention is transparent.

The Need for Increased DDoS Protection

The sheer volume of business that occurs online requires that enterprises, websites, and partner connections
remain operational with as close to 100 percent uptime as possible. In 2015, US retailers reported sales of US$27.9
billion in online merchandise throughout the holiday season,2 illustrating the importance of online transactions to
the national economy.

The migration of government services online adds convenience but also creates targets for politically motivated
attacks, as recently illustrated during the rollout of Healthcare.gov where a DDoS attack3 compromised the site and
prevented citizens from accessing the enrollment for new healthcare services.

Why does DDoS present such a threat? There is no simple answer. Diverse attack drivers; the increased availability
of network bandwidth; the pervasiveness of botnets; poor implementation of Internet protocols and
applications/services; reliance on Internet-based services; and the high visibility and relative ease of conducting
DDoS attacks combine to create an environment where attackers can use DDoS attacks to great effect and where
victim organizations struggle to protect against these attacks.

Ease of Initiating an Attack

Another factor driving the prevalence of DDoS attacks is the relative ease with which these attacks can be initiated.
Botnet services are available (prebuilt botnets that an attacker can rent), and recent reports claim botnet pricing to
be in the range of US$2 to US$5 per hour for an attack that lasts from several hours to up to three days.4

The attacker has only to specify the IP address to attack, and the attack will commence. Other attackers might
build their own botnets, making use of the many malware kits that are available.

Security researchers are partly to blame for the ease with which attack methods can be accessed: DDoS code is
often posted on the Internet for the purpose of educating, and thus arming, others against these attacks; however,

1 http://www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html
2https://www.comscore.com/Insights/Press-Releases/2015/12/Cyber-Monday-Surpasses-3-Billion-in-Total-Digital-Sales-to-Rank-as-Heaviest-
US-Online-Spending-Day-in-History
3 http://www.scmagazine.com/cyber-attacks-on-healthcaregov-reported-to-dhs/article/321243/
4 http://channelnomics.com/2013/07/08/ddos-attacks-on-sale-for-2-an-hour/

4
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

this information also arms attackers. The cost and complexity of a DDoS attack is low in comparison to most other
attacks, and this low barrier to entry allows even non-technical individuals and groups within the general public to
launch large-scale attacks with relative ease. This puts all organizations at risk of attack, since any organization may
have detractors to its ideology, political affiliation, or business model.

Why DDoS Protection Is a Challenge

DDoS attacks have a long history, and yet the security industry has had limited success in preventing them. Why do
DDoS attacks remain so effective? As previously discussed, they are simple to launch and cost considerably less
than targeted persistent attacks (TPAs), which typically require zero-day vulnerabilities and sophisticated
programming techniques. Other reasons for their prevailing success include:

Difficulty in Managing Legitimate Spikes Versus Attack Traffic

No organization wants to block legitimate traffic. Accidentally turning away a customer can have significant
financial consequences for an organization. In the case of many DDoS attacks, the traffic that is used to generate
the attack often appears legitimate. How does an organization determine whether a spike in traffic is legitimate
(for example, a sale or breaking news) or an attack? This dilemma is the reason why organizations are cautious
when making decisions on throttling traffic. Without a solid understanding of baselines and historic traffic trends,
organizations are unlikely to detect an attack until it is too late.

Requires Increased Architecture, Infrastructure, and Expertise

The additional architecture, infrastructure, and expertise that an organization requires to prepare for, detect, and
mitigate a DDoS attack present another challenge. To manage the sudden influx of traffic that occurs during a
DDoS attack, organizations must have the ability to route traffic across various resources. Additional servers,
routers, and network resources (such as load balancers) must be in place to manage the additional traffic.
Depending on the size of the attack, however, having more resources may not in itself be sufficient. Organizations
may require re-routing of all traffic to block offending IP addresses and then permit non-offending IP addresses to
pass through to the protected resources. These options for mitigation require extra equipment and specific
expertise to configure the infrastructure during an attack. Many organizations do not have this level of
sophistication.

Wide Range of Attack Types and Techniques

The range of DDoS attack techniques available presents yet another challenge. Historically, the concept of a DDoS
attack was simply to overwhelm the target with traffic. While many effective attacks rely on this method (the
Spamhaus5 attack used this type of attack to reach rates over 300 Gbps), attackers have also found application-
level attacks to be highly effective.

5 http://www.nytimes.com/interactive/2013/03/30/technology/how-the-cyberattack-on-spamhaus-unfolded.html?_r=0

5
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

DDoS Attack Types and Evasion Techniques

Volumetric
On occasion, the easiest way to prevent access to a target is to consume all of the network bandwidth available.
This is the goal behind a volumetric DDoS attack. The attacker, through various means, launches an attack
designed to cause network congestion between the target and the rest of the Internet. This volume of traffic can
be generated through multiple hosts, for example, a botnet, and leaves no available bandwidth for legitimate users
of the resource (whether it is an ecommerce website or a financial services group). Volumetric DDoS attacks
generally target protocols that are stateless and do not have built-in congestion avoidance. Examples of volumetric
DDoS attacks include (but are not limited to):

 Internet Control Message Protocol (ICMP) packet floods (including all ICMP message types) 
 Malformed ICMP packet floods 
 User Datagram Protocol (UDP) packet floods (usually containing no application layer data) 
 Malformed UDP packet floods 
 Spoofed IP packet floods 
 Malformed IP packet floods 
 Ping of Death 
 Smurf attack 

Protocol

Attackers can also prevent access to a target by consuming other types of resources. Protocol DDoS attacks are
designed to exhaust resources available on the target or on a specific device between the target and the Internet.
The devices can include routers, load balancers, and even some security devices. When the DDoS attack consumes
a resource such as a device’s TCP state table, no new connections can be opened because the device is waiting for
connections to close or expire. Protocol DDoS attacks need not consume all of a target’s available bandwidth to
make it inaccessible. Examples of protocol DDoS attacks include (but are not limited to):

 SYN floods 
 ACK floods 
 RST attacks 
 TCP connection floods 
 Land attacks 
 TCP state exhaustion attacks 
 Fragmentation attacks 
 TCP window size attacks 

6
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Application
Attackers also attempt to prevent access by exploiting vulnerabilities in the application layer. These vulnerabilities
can be within an application layer protocol as well as within the application itself. Attacks on unpatched,
vulnerable systems do not require as much bandwidth as either protocol or volumetric DDoS attacks in order to be
successful. This style of DDoS attack may require, in some instances, as little as one or two packets to render the
target unresponsive. Application DDoS attacks can also consume application layer or application resources by
slowly opening up connections and then leaving them open until no new connections can be made. Examples of
application DDoS attacks include (but are not limited to):

 HTTP GET floods 

 HTTP POST floods 
 HTTP partial connection floods 
 HTTP overlapping range header attacks 
 DNS amplification attacks 
 Secure Sockets Layer (SSL) exhaustion attacks 
 Session Initiation Protocol (SIP) invite floods 

Layered Attacks

As the name implies, layered attacks use diverse DDoS attacks in an attempt to overwhelm the network and any
defenses that may be in place. While some networks may be able to sustain DDoS attack, their resources may soon
be exhausted, which would allow an application DDoS attack to successfully bypass protection mechanisms and
thus render the target inoperable.

Evasion Techniques

Attackers can modify basic DDoS attacks to evade detection in a number of ways. If a single evasion is successful
and an attack passes through, then all of the defenses in place at that point are nullified. Therefore, it is critical
that any defense put up by an organization is capable of detecting and defending against the many evasion
techniques available to attackers. Some common evasion techniques use IP fragmentation and stream
segmentation. Evasion of defenses may not be critical for attackers if the goal is to overwhelm resources (whether
bandwidth or state exhaustion), but as more organizations install better defense evasion techniques, it could
become a critical component of future DDoS attacks.

DDoS Prevention Solutions

Given the scale and complexity of many modern DDoS attacks, and given that firewall and intrusion prevention
systems (IPS) cannot always mitigate these attacks, many organizations are selecting DDoS prevention solutions as
a critical architectural component in their networks. These solutions provide protection by identifying a specific
DDoS attack and then working to minimize its effect on the network and legitimate traffic. The solutions are
deployed inline or out-of-path and should have performance and reliability requirements similar to other critical
infrastructure components, since they may be required to process potentially large amounts of traffic.

7
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Inline Protection
Inline DDoS prevention solutions adopt the traditional network security device posture of mitigating, or
“dropping,” malicious traffic inline, and as such, typically consist of a single appliance (or multiple appliances for
high availability scenarios) and are often deployed in front of or behind the perimeter security device. The
appliances can be dedicated stand-alone appliances, or they can be integrated into other traditional security
products, such as IPS and next generation firewalls (NGFW). This type of solution is generally deployed in
enterprises and small-to-medium data centers, but it is not, however, limited to these environments since it can be
designed to handle high throughput scenarios.

Out-of-Path Protection

The out-of-path posture is one where the DDoS prevention solution actively monitors traffic at an ingress point for
malicious activity. Once malicious activity is detected, the DDoS prevention solution uses routing protocols such as
border gateway protocol (BGP) to redirect traffic to a dedicated appliance for inspection and to reintroduce the
legitimate (i.e., non-malicious) traffic into the network. This type of DDoS prevention solution commonly consists
of more than one appliance and is designed to work in higher throughput environments such as large data centers
and ISPs.

Performance Metrics for DDoS Prevention Solutions

Since DDoS protection solutions are intended to run at line rate (even if out-of-path), performance is critical. While
DDoS prevention solutions should be held to the same standards as other pieces of network infrastructure, they
have the additional challenge of being required to process application traffic. The following are examples of
performance metrics that require evaluation when considering DDoS prevention solutions:

 Raw packet processing performance

 Latency
 Maximum throughput capacity
 HTTP capacity (with and without transaction delays)
 Application average response time

Performance Under Attack

In addition to performing at line speeds during normal traffic loads, DDoS prevention solutions must also continue
passing traffic under attack. This is especially critical for latency-sensitive environments or environments that serve
multitudes of customers such as data centers, Internet service providers (ISPs), or financial institutions. DDoS
prevention solutions should be able to still pass legitimate, real-world traffic to the intended destinations,
regardless of the size or complexity of the attack.

8
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Other Security Requirements

Like other security infrastructure devices, DDoS prevention solutions must continue to operate in spite of multiple
attacks or disruptions in traffic. Beyond processing legitimate traffic throughout an attack, the devices themselves
must be hardened and must offer the same levels of stability and reliability, as well as support the same high-
availability options, which are common in devices such as firewalls and other IPS devices. In addition to
performance, the following factors should be evaluated on a device:

 What happens to the device when power fails?

 Does the device include redundant components (for example, fans, power supplies, hard drive)?
 Does the device data remain persistent during a power failure?
 Is a high-availability option available, and how does the device perform during failover?
o What happens to legitimate traffic?
o How long does the device take to failover?
o Is stateful operation maintained?

Management and Configuration

Management and configuration capabilities should be critical components in the evaluation of a DDoS prevention
solution. Preventing DDoS attacks requires delicate tuning to avoid blocking legitimate traffic. DDoS prevention
solutions are complicated to deploy, and options such as centralized management console options, log
aggregation, and event correlation/management systems further complicate the purchasing decision.
Understanding key comparison points will allow customers to model the overall impact on network service level
agreements (SLAs); estimate operational resource requirements to maintain and manage the systems; and better
evaluate the required skill/competencies of staff. The following considerations should be made for any DDoS
prevention solution.

 How easy is it to install and configure devices and to deploy multiple devices throughout a large enterprise
network? 
 How easy is it to create, edit and deploy complicated security policies across an enterprise? 
 How accurate and timely is the alerting, and how easy is it to drill down to locate the critical information that
is required to remediate a security problem? 
 How effective is the reporting capability, and to what extent can it be customized? 

9
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Reading List
Distributed Denial-of-Service (DDoS) Prevention Test Methodology v2.0. NSS Labs
https://www.nsslabs.com/research-advisory/library/infrastructure-security/distributed-denial-of-service-
prevention-solutions/ddos-prevention-test-methodology-v2-0/

10
 NSS Labs Analyst Brief – Why Is DDoS Prevention a Challenge?

Contact Information
NSS Labs, Inc.
206 Wild Basin Rd
Building A, Suite 200
Austin, TX 78746 USA
info@nsslabs.com
www.nsslabs.com

This analyst brief was produced as part of NSS Labs’ independent testing information services. Leading products
were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief.
© 2016 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval
system, or transmitted without the express written consent of the authors.

Please note that access to or use of this report is conditioned on the following:

1. The information in this report is subject to change by NSS Labs without notice.

2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not
guaranteed. All use of and reliance on this report are at the reader’s sole risk. NSS Labs is not liable or responsible for any
damages, losses, or expenses arising from any error or omission in this report.

3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND
EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT
DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE
POSSIBILITY THEREOF.

4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or
software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no
errors or defects in the products or that the products will meet the reader’s expectations, requirements, needs, or
specifications, or that they will operate without interruption.

5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned
in this report.

6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of
their respective owners.

11