The Importance of Regular DDoS Testing

I had to chuckle when a colleague who runs a DDoS mitigation development team recently told me his team is motivated, despite not working on a cutting-edge technology. He asked me why I was laughing, and I answered that you can’t really get too much more cutting edge than DDoS these days.

Yes, DDoS has been around for the better part of 20 years, but comparing the DDoS attacks of 20 years ago to today’s threats is like comparing a high school bully to a professional mixed martial arts (MMA) fighter. The bully knows how to take somebody down with a good haymaker punch, but after being hit a couple of times, victims of such simple tactics find straightforward ways defend themselves. Conversely, an MMA fighter knows countless different ways to take down an opponent and will vary tactics constantly, rendering defense difficult. That’s what we see across the modern DDoS threat landscape. Attacks are more organized, more targeted, more varied, more like legitimate traffic, stealthier, and quite a bit more effective than their predecessors. So while DDoS has been around for a long time, defense in today’s landscape is every inch cutting edge. When I explained this to my colleague, his eyes lit up as he started thinking about a no-doubt rousing speech to make to his dev team.

Another challenging aspect of defending against DDoS attacks lies in the cyclical nature of attacker innovation and attack campaigns. This tends to lull companies into a false sense of security that the protections they put in place sometime in the past are good enough to handle what could come their way today. Unfortunately, the shortcomings involved with such a line of thought tend to leap into the spotlight when attackers launch major DDoS campaigns against whole sets of countries, regions, and/or verticals and a wide swath of companies are targeted. You may remember “Operation Payback” conducted by the anonymous group in 2010/2011; “Operation Ababil”, which targeted U.S. financial institutions in 2012; the Mirai botnet attacks in 2016 that took down Dyn DNS, Krebs on Security, and OVH; and the more recent Memcached attacks in 2018. We are now in the midst of the latest of these prominent happenings, with a global DDoS extortion campaign that has been ongoing for the last six weeks.

Inevitably, luck runs out for most companies, and just when their attention is completely turned away, BAM! A DDoS attack disrupts their business. Judging by the number of customer mitigations, emergency provisioning requests, and deployment validation requests we’ve seen over the past few weeks, this ongoing campaign has definitely had an unwanted impact on the industry. Disruption levels can vary greatly, from minor annoyance to prolonged outages. In our experience, the difference quite often comes down to preparation. Although most businesses have invested in some type of DDoS protection, whether it be a service, a product, or both, not all these businesses keep up with the latest threats and analyze whether their current defenses will provide adequate protection against these new menaces. The same holds true with synching network and application changes with the company’s DDoS solution. Whether it’s a network consolidation, an expansion, the integration of an acquisition, or a move to the cloud, businesses often fail to consider the effect of such changes on their DDoS attack defenses.

I wish I could say that Arbor Cloud customers are immune to this, but unfortunately, that’s not the case. There have been situations when coming under mitigation has led customers to discover that something in their provisioning has changed since the service was set up. At that point, we find ourselves troubleshooting issues while simultaneously mitigating the attack—not ideal. We are skilled at pinpointing issues and resolving them quickly, but it’s far more preferable to avoid the issue to begin with.

Periodic testing is the one tried-and-true way of avoiding such issues. Quarterly readiness testing is included with all Arbor Cloud packages and is a best current practice we recommend to all customers of the service, as well as all customers who use NETSCOUT Arbor products. Regularly testing DDoS defenses provides the following essential safeguards against having DDoS protection go stale:

• Verifies that end-to-end connectivity continues to work as expected. Many of the problems that occur when a mitigation happens are related to network changes that were not accounted for in the mitigation configuration.
• Validates the operational run books applied to your service: what action should be taken and who needs to be informed.
• Makes you focus on what you need to defend. It often reveals additions to the network, new applications, or new data centers that are not being protected.
• Provides peace of mind that the solution you have in place will work when you are the victim of an attack.

The current campaign of extortion-based attacks has raised the global DDoS profile considerably, bringing the conversation to the C-suite at many companies. This is a great time to revisit your testing strategy to make sure you can confidently say you are prepared for an attack. 

Read the latest research on global and regional DDoS attack activity in the 1H 2020 NETSCOUT Threat Intelligence Report.