Why DDoS attacks aren’t just a security problem… and monitoring traffic isn’t the solution – Part One
Every company’s a target, every customer’s at risk. But the now-cliched threat of data breaches from Distributed Denial of Service (DDoS) attacks obscures a bigger threat: outages that impact not just data integrity but also profitability, brand equity, and customer retention.
The volume of attacks is growing and so is the impact of down time. According to Akamai’s most recent State of the Internet report, DDoS attacks are a bigger threat than ever before. “The number of DDoS attacks continued to increase substantially in Q2 2015, more than doubling the number observed in Q2 2014.”
An even more troubling fact is that it’s getting easier to launch them. Look no further than the darknet to rent a botnet and launch an attack in two clicks. Just this week a particularly nasty Linux vulnerability was exploited to launch a series of attacks observed to generate a crippling 150Gbps in malicious traffic. But the problem is even worse: it’s easier than ever for customers to switch to a competing app or service… and they do in droves when service is unstable or slow.
According to Gomez and Akamai, every second of page load time increases abandonment rates by 5% and 40% of users abandon websites that take more than three seconds to load. More disturbing is that 79% of users won’t return to a site or app when they’re dissatisfied with its performance. Loyalty? Think again. These days, we’re only loyal to reliability and performance.
IT teams struggle to prevent down time during an attack, and often they have little or no visibility into the source of the attack or which systems are impacted. As a result, avoidable outages often aren’t and customer relationships often end tragically before they start.
Aren’t DDoS attacks just a security problem?
DDoS attacks are everyone’s problem. First, they’re a customer problem. I don’t want to be the customer of a bank under attack when withdrawing cash at an ATM. Second, they’re an IT ops problem. Anything that makes monitoring systems convulse is bad and DDoS attacks cause alert volumes to soar like Lewis Black’s blood pressure. Last, they’re obviously a security problem – both because of the threat of a data breach and because everything is vulnerable during an attack.
The obvious conclusion: service availability and performance are the dial tone for modern businesses. The doctor’s stethoscope. The writer’s pen. Security vendors provide part of the solution but it’s incomplete at best. Increasingly, IT ops is as involved in DDoS attack prevention and remediation as IT security and yet they’re painfully under-equipped.
Until now. Correlating alerts generated during DDoS storms gives IT ops visibility into actual incidents – signal vs. noise – and the ability to identify root cause and restore service rapidly. In the past, DevOps teams have often been relegated to the sidelines by SecOps during attacks. With processes in place to correlate alerts at DDoS scale, they now become equal partners.
Yet cultural challenges remain. The ideal state looks like this:
- IT ops can view DDoS attacks from the perspective of service health as effectively as security teams view them from the perspective of data integrity.
- They can correlate DDoS alerts across network gear, load balancers, databases, web and app servers.
- They can identify root cause rapidly by combining historical incident patterns with alerts and enriching them with contextual data like blocked IP ranges.
That’s what’s required for IT ops to respond effectively to DDoS attacks. That’s what I’ll discuss in part two via a customer story about how BigPanda helped thwart a DDoS attack for a Fortune 100 service provider in under an hour. It’s a dramatic tale better suited for direction by Coppola in a rice marsh in Da Nang but I’ll do my best to relay the highlights.