Why DDoS attacks aren’t just a security problem… and monitoring traffic isn’t the solution – Part One

space invaders DDOS

An even more troubling fact is that it’s getting easier to launch them. Look no further than the darknet to rent a botnet and launch an attack in two clicks. Just this week a particularly nasty Linux vulnerability was exploited to launch a series of attacks observed to generate a crippling 150Gbps in malicious traffic. But the problem is even worse: it’s easier than ever for customers to switch to a competing app or service… and they do in droves when service is unstable or slow.

According to Gomez and Akamai, every second of page load time increases abandonment rates by 5% and 40% of users abandon websites that take more than three seconds to load. More disturbing is that 79% of users won’t return to a site or app when they’re dissatisfied with its performance. Loyalty? Think again. These days, we’re only loyal to reliability and performance.

IT teams struggle to prevent down time during an attack, and often they have little or no visibility into the source of the attack or which systems are impacted. As a result, avoidable outages often aren’t and customer relationships often end tragically before they start. 

Aren’t DDoS attacks just a security problem?

DDoS attacks are everyone’s problem. First, they’re a customer problem. I don’t want to be the customer of a bank under attack when withdrawing cash at an ATM. Second, they’re an IT ops problem. Anything that makes monitoring systems convulse is bad and DDoS attacks cause alert volumes to soar like Lewis Black’s blood pressure. Last, they’re obviously a security problem – both because of the threat of a data breach and because everything is vulnerable during an attack. 

The obvious conclusion: service availability and performance are the dial tone for modern businesses. The doctor’s stethoscope. The writer’s pen. Security vendors provide part of the solution but it’s incomplete at best. Increasingly, IT ops is as involved in DDoS attack prevention and remediation as IT security and yet they’re painfully under-equipped.

Until now. Correlating alerts generated during DDoS storms gives IT ops visibility into actual incidents – signal vs. noise – and the ability to identify root cause and restore service rapidly. In the past, DevOps teams have often been relegated to the sidelines by SecOps during attacks. With processes in place to correlate alerts at DDoS scale, they now become equal partners.

Yet cultural challenges remain. The ideal state looks like this:

  • IT ops can view DDoS attacks from the perspective of service health as effectively as security teams view them from the perspective of data integrity.
  • They can correlate DDoS alerts across network gear, load balancers, databases, web and app servers. 
  • They can identify root cause rapidly by combining historical incident patterns with alerts and enriching them with contextual data like blocked IP ranges.

That’s what’s required for IT ops to respond effectively to DDoS attacks. That’s what I’ll discuss in part two via a customer story about how BigPanda helped thwart a DDoS attack for a Fortune 100 service provider in under an hour. It’s a dramatic tale better suited for direction by Coppola in a rice marsh in Da Nang but I’ll do my best to relay the highlights.