I D C

A N A L Y S T

C O N N E C T I O N

Christina Richmond
Program Director, Security Services

Distributed Denial of Service: What to Look for

in a Provider
November 2013
In 2012, high-profile attacks on the world's leading financial firms thrust denial-of-service (DoS) and
distributed denial-of-service (DDoS) attacks back into the headlines. According to research from IDC,
the worldwide market for DDoS prevention solutions will grow from $377 million in 2012 to
$870 million in 2017, representing a compound annual growth rate (CAGR) of 18.2% over the
five-year period. Volumetric attacks will continue to be the predominant attack type for the
foreseeable future because of the relative ease with which botnets can send a bandwidth or packet
flood in excess of what most enterprise infrastructures can handle. However, this could change
quickly. IDC expects to see an increase in the more advanced hybrid attacks that include application
layer and encrypted traffic. As a result, DDoS attacks are now a mainstream security problem, and
organizations must have a proven mitigation plan in place and a service provider they trust when an
attack occurs.
Christina Richmond, program director of IDC's Security Services practice, answers commonly asked
questions about DDoS attacks and mitigation providers. This paper is sponsored by Prolexic
Technologies.
Q.

How long do DDoS events typically last, and what are the business impacts?

A.

DDoS attacks occur on multiple layers, including application, network, and transport.
Attack campaigns can last from just a few hours to weeks.
The immediate and obvious impact of a DDoS attack is Web site unavailability. Visitors may
be unable to reach their intended destination. And often, when they do reach their
destination, page load times can be as high as 50 seconds, essentially making the Web site
unusable. Such an event can negatively impact sales revenue (if the site supports
ecommerce transactions), brand image, stock price, customer satisfaction, and even Google
search rankings. These attacks can cripple an entire business, not just the IT infrastructure.
In some cases, DDoS attacks are used as a diversionary tactic where the impact is less
obvious but equally damaging. While the IT and security staff is busy fighting the DDoS
attack, hackers break into IT systems and attempt to steal financial information, credit card
numbers, passwords, intellectual property, and money.

Q.

What are the key attributes to look for in a DDoS mitigation provider?

A.

It's important to make sure your DDoS provider has the capacity to handle a large-scale
attack. Publicly available statistics cite peak attack rates that are quite large. The ability to
block large attacks is critical to ensuring Web site availability. In addition to scale, a DDoS
provider should have significant experience and skill in mitigating complex application layer

IDC 1597

attacks, including encrypted attacks. Further, a quality provider should have multiple
mitigation layers and techniques and not rely on one or two off-the-shelf devices;
experienced attackers often have a solid understanding of the weak points of these devices
and the limits of their capabilities.
Ask if a provider measures attacks and what attack analysis will be provided. Can the mitigation
company share bit and packet rates of attacks it has seen? Is this data produced through direct
observation and thereby mitigation of a DDoS attack or secondhand via a publication the
provider is quoting? Because of the increasing size and complexity of attacks, simply deploying
technology is no longer enough. Look for a solution from a service provider that is purpose built
for solving security problems. Experienced engineers and analysts who are engaged in the
DDoS fight day in and day out are more valuable than a provider that touts a high number of
clients or has years of general security experience but doesn't engage in the DDoS fight every
day. To gauge DDoS experience, ask potential service providers how many attacks per hour or
per day they encounter. In addition, it is beneficial to make sure you have a provider that is
committed to creating an intimate relationship with your company. The provider should have
processes in place to get to know your business and create a play-by-play engagement model
that dictates how an attack will be handled, by whom, and with what resources. DDoS
mitigation isn't something you can "set and forget." You must plan for the worst.
Q.

How much real-time network visibility should a DDoS mitigation vendor provide?

A.

Ideally, a DDoS mitigation vendor should have near-real-time visibility of the customer
network, and not just under attack scenarios. Real-time visibility into network traffic assists
with identification of DDoS attacks. Split-second decisions cannot be made in arrears; rather,
they must be made in the moment of a DDoS attack. In addition, look for a monitoring
platform and customer portal with information that is easy to read and interpret and provides
real-time data and analysis of your network perimeter. Also be sure that your provider
understands the context of what the customer sees in an attack and presents it in such a
fashion that assists rapid decision making during attacks as well as visibility for executive
engagement. A world-class DDoS vendor will also provide industry knowledge and
educational resources as part of its service.
Network visibility is critical for the provider and your teams to make rapid decisions when under
attack. You want to have a customer service partner that can help you navigate the complex
landscape of DDoS alerts that may or may not require mitigation. Also required are flexible and
modular service options that will allow you to scale up or down depending on your needs. An
"always on" mitigation service option is important as is one price regardless of attack size to
protect your company 24 x 7 within a predictable budget. Further, look for a provider that can
assess your infrastructure to advise you on the best mitigation plan for your company.

Q.

Why choose a specialist provider?

A.

Specialist providers and those that are in the DDoS fight day in and day out have large,
dedicated mitigation networks and expert resources focusing all of their time on DDoS. They
have invested in security as a core expertise and have a security operations center and a
first-responder team of engineers. The environment is purpose built for large-scale DDoS
with real-time analytics.
Look for a company that has a distributed global network of traffic scrubbing centers in the
Americas, Asia, and Europe. A provider that understands that DDoS attacks are not static is
also critical. Methods of attack change constantly from volumetric floods to small, targeted
payloads hidden in HTTP and HTTPS traffic. They can involve SYN floods or DNS-level

2013 IDC

attacks and are often amplified through reflection tactics. DDoS is a highly complex arena
that requires specialized knowledge and attention.
Q.

Are application attack (Layer 7) mitigation capabilities a requirement?

A.

While it is critical to ensure that a provider has more than enough capacity to be able to
handle large, volumetric infrastructure attacks (targeting Layers 3 and 4), it is also important
that the provider can mitigate stealth, low gigabit per second application attacks (targeting
Layer 7). Many application attacks are encrypted via Secure Sockets Layer (SSL)
technology, so providers should also be evaluated for their ability to mitigate encrypted
attacks as well as their SSL key management practices to ensure that compliance with any
industry privacy or security regulations can be maintained.

A B O U T

T H I S

A N A L Y S T

Christina Richmond is a program director for IDC's Security Services research practice. In this role, she is responsible for
IDC's worldwide research and analysis on enterprise and service provider security consulting and integration services.

A B O U T

T H I S

P U B L I C A T I O N

This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor
sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T

A N D

R E S T R I C T I O N S

Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests, contact the Custom Solutions information line at 508-988-7610 or
gms@idc.com. Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC Custom Solutions, visit www.idc.com/gms.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

2013 IDC