DDoS Protection Services

Distributed denial of service (DDoS) attacks are now an established aspect of the threat landscape. The number of attacks reported continues to rise, as does the recorded peaks for the traffic they can deliver. ‘Booter’ services, the prevalence of poorly configured IoT devices and access to command and control operations for botnets like Mirai mean threat actors need relatively low levels of sophistication or competence to disrupt or completely disable unprepared organisations. Even those organisations that already have countermeasures in place must remain alert and aware to threat actors who adjust their tools, techniques and procedures (TTPs) to circumvent controls or exhaust and overwhelm defenders. 

Booter Service

“There is a lack of ultimate control associated with this attack. You can’t prevent attempts, and likely need to rely on help from some upstream allies to defend if/when attempts are made. If someone points their botnet at you, hopefully you have a plan of action to engage your ISP(s) and DoS mitigation service to thwart the attack with minimal interruption or service degradation. “ 
Verizon’s 2017 Data Breach Investigations Report

In the response to the threat, numerous mitigation providers have stepped forward to offer would-be victims some chance of protecting themselves. Whilst typically offering similar looking services, the details and specifics of how these work and how these services can be integrated can differ significantly. 

This post looks to set out some key considerations to make if you’re looking to get help with protecting your organisation from DDoS attacks. This is by no means an exhaustive source and you should look to fully understand, capture and satisfy you organisation’s unique protection requirements and commercial limitations.

“Understanding the types and levels of mitigation you need is key. What assets do you have exposed to potential DDoS? What is the impact of not having those assets? Business as usual? End of the world? DDoS services all have different capacities, detection methods and types of services. Do you need to resist the median attack (both in size and duration) or do you want to be safe from the bigger and longer attacks that are possible?”  
Verizon’s 2017 Data Breach Investigations Report

Case Studies and References

Before going down the rabbit hole its worth checking to see if the solution provider you’re considering is already working with organisations similar to your own. If they are, there’s a good chance that they will already be familiar with some of the specific legal, technical or regulatory challenges organisations like yours face. This is specifically relevant for organisations that have more than just PCI-DSS and DP/GDPR requirements. 
  • Enquire about case studies and references. If you operate in challenging legal/technical/regulatory market, seriously consider if you want to be this supplier’s ‘first’ or ‘in’. This might not only help you reduce the pool of vendors you’re considering but might save you time, disruption and compliance headaches in the future. 


In order for you to benefit from DDoS mitigation services you’ll need to be able to get it working. There's a lot to consider in regards to technical implementation and this will likely form a significant percentage of your requirements. Understanding what it is you' re trying to protect and how your applications and services work will be vital. 

  • How does their solution work? Specifically, how do you route traffic to/through it?
  • If you’ll need to use BGP, is there a minimal network range size they support?
  • Does the protection service include CDN like caching and is so does it support cache-busting?
  • Does the service support HTTP2? Do you need support for web sockets? 
  • Does the service support the use of 3rd party certificates and are there any constraints around the use of ciphers? Can the service support Server Name Indication (SNI)?


Understanding how the service mitigates attacks is important. A lack of understanding here increases the likelihood of false-positives and the last thing you want is a control meant to prevent outages, causing one. 

  • Specifically where does mitigation occur? What is the solutions attack mitigation capacity (Globally/Per Region/Per Market etc). 
  • What levels of granularity does the solution afford around mitigation? Does it support unique policies/configurations/thresholds per application/site? 
  • How does the solution handle typical traffic anomalies? 
  • Does the solution employ reputation services for filtering purposes? What are these?
  • What behaviour is supported and/or observable during the mitigation of attacks?


When considering DDoS mitigation you'll also want to consider ownership for the service.

  • Does the solution come with any managed services options? 
  • What logging and alerting options does the solution support? Are these real-time? How are alerts/logs/real-time events exposed? Are their native integration options available for your logging/SIEM products? 


Popular posts from this blog

Possibly the only *good* example of identity theft

Tools & Techniques - Kali Linux of a Raspberry Pi

Building an IDS on RHEL 7 using Suricata