Not logged in » Login
Sep 25 2018

DDoS Attacks: Does Your Provider Offer Adequate Protection?

Along with ransomware, DDoS attacks are the equivalent of a medieval plague for today's data-and-network-dependent companies. And needless to say, they're all looking for protection against strikes that will not only reliably crash their sites and cause immediate financial loss, but – if occurring repeatedly – can also bludgeon their reputation and drive away customers over the medium term. But which service providers are powerful and trustworthy enough to shield their customers' networks and still stick with European data protection and privacy rules? Two new papers from Germany's Federal Office for Information Security (BSI) aim to help CIOs and their teams find the right partners.

Following a massive surge in successful DDoS attacks, both documents present a catalog of meaningful criteria that enterprises can go by when seeking competent DDoS bodyguards as well as a list of only six service providers that passed the internal litmus test. But let's look at the criteria first.

In theory, customers can opt for one of three mitigation methods – running an on-premises mitigation appliance, using a Content Delivery Network (CDN) or ordering DDoS mitigation as a service. Of these, the first is only applicable if adversaries would use minor bandwidths to carry out application-level attacks, which is basically the opposite of a full-fledged DDoS scenario. CDNs work best in environments with high amounts of static and small amounts of dynamic content. All retrievable content is mirrored across multiple instances and therefore resides closer to the customer. That way, requests are regionalized, which means that the load per instance is lower and access times are shorter. CDNs usually have a large total capacity, so that many DDoS attacks can be fended off. In addition, many CDNs use their own intricate filters to block assaults. However, most customers will eventually look for more comprehensive protection strategies and methods, such as the ones large ISPs, CSPs or IT service firms have on offer. Here's where the aforementioned catalog comes into play, as any reasonable "DDoS mitigation service provider" must fulfill the following requirements:

  • Redundant Internet connections are available.
  • DDoS filters are available for common services (Web, Mail, VPN).
  • IPv4 and IPv6 are supported.
  • Access to the configuration platform is TLS-protected.
  • The service provider offers 24/7 availability.
  • The service provider can handle incoming and outgoing TLS connections.
  • The following filter options must be available as a minimum: protocol (TCP, UDP, ICMP, etc.); TCP flags and ICMP type; source and target IP; rate limit per IP or network range.
  • Traffic may be redirected based on DNS and/or BGP.
  • There is an option to divert traffic only in the event of an attack.
  • Mitigation may be activated automatically in the event of an attack.
  • It's possible to embed content that permits recognition of human users (e.g. captchas).
  • Customers may introduce their own definitions regarding permissible and non-permissible traffic based on permissible or special IP ranges, permitted or special regions (Geo-IP) or 'profiles' of permitted traffic.
  • If necessary, the service provider should assist customers in creating such definitions.
  • Filter definitions are automatically derived from the attack pattern.
  • The service provider complies with the same data protection regulations as the customer.

Based on this laundry list, the BSI recommends a total of six (6!) "qualified" service providers that meet most or at least a substantial majority of the above criteria. In alphabetical order, these are:

As you will notice when following the above links, four of these offerings come from German and/or European providers with no apparent ties to the U.S. The exceptions are Akamai Technologies and Arbor Networks, whose headquarters are located in Massachusetts; however, both also have strong European bases with branch offices in Paris, Madrid, Stockholm, Dublin, Frankfurt and Vienna among others. These branches are expected to comply with strict European data protection and privacy regulations, namely the GDPR, which was adopted in 2016 and became effective in May this year – and in fact, Akamai seems to take some pride in its related capabilities. This might also explain why other popular firms that have the prowess to repel DDoS attacks – such as Cloudflare or Verisign – are absent from the BSI's list of trustworthy providers: Although both remain committed to the GDPR, they may be less focused on the European market than their competitors.

TechCommunity members who understand German can download the checklist and provider recommendations here and here.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now