The Facts / What It Takes To Actually Stop A DDoS..

I've seen many posts in the past few months about people under attack who were not able to handle things themselves, and who made statements along the lines of DDoS mitigation services that one has to pay for are too expensive.

First, I will state that my company does offer those services, and they are not cheap. We offer DDoS mitigation services for hosting/colocation/internet providers who can then resell it to their customers. I state this so that you know that I do have a bias here, though everything I state below is fact.

1. There are free open source tools that can help. Apache modules, IPTables scripts that extract info from netstat or syslog, and I know one guy who is puting together a kernel module. Most of these can stop small scale attacks, and are quite interesting to set up - if you like the technical end of things.

2. Most botnets have more than enough zombies to overpower #1 above.

3. If you have a 100 MBPS pipe to the internet, it doesn't take 100 MBPS of traffic to saturate the pipe and take it down. Enough small packets can overload a router's ability to process, and 10-20 MBPS of traffic can take out the router.

4. There may be a few ways to deal with this, though the best in my experience has been to place an intrusion prevention system (IPS) in front of the router. I have a number of friends in the industry who work at companies where malware is analyzed, and where they work with law enforcement to try and identify the attacking parties. This can be a lengthy process and will not often get a site / router back up quickly, though can be very nice in the long term.

5. Not all IPS are equal. I'm not going to name brands, but I've seen one $50,000 box that had gigabit links die after about 80 MBPS of DDoS traffic. If you're looking into IPS, make sure you compare what they actually do, and talk to people who have implemented them.

6. The majority of the IPS that we manage for our customers and that we implement when we have a new customer under attack are from TopLayer. There are three reasons for this; Their IPS actually works the way you would expect it to (the gigabit model can handle a gigabit of DDoS traffic); If there is something that the IPS can't block, we call their dev team who will work with us to figure out a way to block it; And they give us the best deals.

7. Implementing an IPS is not cheap. The suggested retail price for a gigabit level IPS is about $80,000 USD. Consider that a hosting/colo/service provider who has a two gigabit pipe will need two of these.

8. Managing an IPS takes a special skill set. The people with this skill set are usually expensive to hire as employees, and while I've known a few service providers where the chief technical guy (often a partner in the company) has been the one to manage the IPS, this guy has a lot of other important things to do, and doesn't usually want to be woken up at 2am every few days when there's a significant alert from the IPS.

9. Contracting out IPS management and monitoring can run anywhere between $1,000 and $2,000 per month depending on service options, response times, and contract length. This will usually include remote monitoring of the IPS from a security operations center (SOC), and a lot of escalation options on how to deal with attacks.

10. If an attack is using mechanisms that can get past IPS protections (I will not list them here to give people ideas on how to get around IPS protections, though if anyone is in the field and would like to talk about this I'd be more than happy to do so), then there will need to be escalation options at additional fees from other companies who specialize in that particular area. If subscribing to managed services such as #9 above, then these options should be listed with pricing knowledge available to the customer beforehand. In fact, the company offering the managed IPS service should manage the interface between their customer and the escalation company (we certainly do, and that's one of the things that our customers have been very happy about).

11. Considering #7 through #10 above; the cost of buying/leasing an IPS, managing the IPS and/or paying service fees, and escalating technical work in the event that there is something outside the scope of what can be mitigated using the standard tools, it is more than reasonable for a service provider to charge a significant amount of money to their customers for protection readiness, attack mitigation, and emergency setup fees in the event that there is a situation where a customer is being attacked, needs the service immediately, and has not been paying for protection.

12. A service provider will turn off (null route) their customer when the impact of an attack affects the rest of their customer base. If an attack takes out a full 2 GBPS pipe that they have for all their customers, and null routing one customer is the way to keep the other 1,000 customers up, then that one customer will be null routed. It is a sound business decision. In cases like this, there are options for how to deal with that customer, and that customer will have to decide if they are willing / able to pay for said options.