Top 9 Challenges Associated with DDoS Mitigation Efforts

Cyber adversaries are getting more sophisticated. With powerful malware, ransomware, and other cyberattacks continually getting more evasive and malicious, cybersecurity teams need to stay alert. Another type of cyberattack that is increasing in complexity is the distributed denial-of-service (DDoS) attack. These attacks are getting larger, smarter, and more destructive.
 
Whether it be a large-scale volumetric attack or a hyper-targeted application layer attack, powerful dedicated DDoS mitigation is necessary to weather the storm these attacks spin up. A recent IDC study identified nine key challenges associated with survey respondents’ organizational DDoS mitigation efforts.

Let’s dive into each challenge:

1. DDoS as a tactic to obscure or enhance other data theft/intrusion/extortion attempts (41 percent of respondents)
   • DDoS attacks are often used as a smoke screen to distract teams from other nefarious activities. While the network and security teams are busy fighting to get key services and applications back online during a DDoS attack, adversaries can exploit other areas of the network to gain access and carry out stages of a full-scale cyberattack or extract data.
2. Security gaps/blind spots due to complexity of environment (39 percent)
   Scalability is key to a holistic DDoS protection solution. If you cannot see into every area of the network and application layers, then there are places there that attackers can exploit. Robust instrumentation that can handle the complexity and scale of an enterprise or service provider network is imperative to a stout defense, so finding a solution that can satisfy the network’s unique requirements is necessary.
3. High frequency of attacks results in excessive costs for mitigation (37 percent)
   Most organizations get their DDoS attack protection from a managed security services provider. Many of these services charge their customers an attack mitigation fee that is applied per attack. The more attacks, the higher the costs. An alternative is to seek managed DDoS protection services that do not charge per attack or to deploy your own DDoS protection on premises, where you own the licenses for products and you detect and mitigate attacks. Depending on the number of attacks, a strong return on investment (ROI) can be achieved quickly.
4. Stealthy application layer attacks that avoid triggering detections (34 percent)
   Application layer attacks, also known as layer 7 DDoS attacks, are often smaller in volume, but are equally or more destructive than their large-scale volumetric relatives. Not having dedicated DDoS protection solutions that monitor these smaller-volume attacks can be detrimental to application availability, because many ISP-provided or other solutions function based on thresholds, and if an attack is smaller in size it may not trigger mitigation. Enabling protection at the application layer that looks for anomalies and other telltale signs of a DDoS attack customized to your environment can help prevent these devastating attacks from being successful.
5. Large-scale volumetric attacks overwhelm existing defenses (30 percent)
   Adequate scrubbing and mitigation capacity cannot be undervalued as volumetric attacks continue to get larger and larger. Cloud-based DDoS protection with a high capacity is the solution to this problem. The ideal management of all DDoS attacks—from stealthy, smaller application layer attacks to large-scale volumetric attacks that shut down your internet circuit—is a hybrid approach. The key to this approach is to have mitigation capacity in the cloud through a dedicated DDoS service or one provided by an ISP coupled with a dedicated-on premises solution.

6. Widely distributed attacks targeting a broad range of IP addresses to avoid detection, such as a carpet-bombing attack (29 percent)
   • Carpet-bombing DDoS attacks can be devastating to large enterprise and service provider networks. Having holistic, adaptive DDoS defenses that can block attacks as they change targets within your IP range can automatically detect and mitigate these attacks should DDoS misuse traffic be detected across the entire network, not just on a per-host basis.
7. Multivector attacks complicate detection and mitigation efforts (25 percent)
   • Adaptive DDoS protection that automatically updates defensive measures based on new attack vectors detected helps mitigate multivector attacks. Whether the different attack vectors target a host or network simultaneously or change from one to another as they are blocked, a solution that can handle the full gambit of DDoS attack vectors and evolves as the attack matures and gets smarter is a necessity.

8. Specific protocols require specialized protection, such as DNS (22 percent) 
   Domain Name System (DNS) DDoS protection is imperative to ensuring DNS water torture/NXDOMAIN attacks are not successful. Automatic detection of malformed DNS traffic based on machine learning (ML) to validate and store good and bad DNS sources coupled with appropriate rate limiting are paramount in configuring a stout DNS DDoS defensive strategy.

9. Short-burst/rapid-fire attacks that exploit long detection times (22 percent)
   • Some DDoS protection solutions have duration thresholds for mitigating attacks. This can lead to successful short-burst attacks—or worse, a series of successful rapid-fire attacks that connect to render key services and applications unavailable for extended periods of time.

NETSCOUT’s Arbor DDoS mitigation can help organizations prevent most DDoS attacks from being successful. The AI-powered, hybrid, adaptive DDoS protection capabilities within the Arbor suite of products can automatically detect and mitigate most types of DDoS attacks, regardless of size (large or small) and duration (long or short). Arbor solutions are continuously armed with the ATLAS Intelligence Feed (AIF), powered by industry-leading visibility into the world’s internet traffic and with AI to automatically block the latest known DDoS threats.

Learn more about adaptive DDoS protection.
Read the IDC Spotlight.