Skip to main content

82% of DDoS protection has no effect

As much as 82 per cent of solutions billed as protecting against or mitigating the effects of distributed denial of service (DDoS) attacks actually offer little to no protection, according to a new study.

NCC Group's DDoS Testing exercises (opens in new tab) took some of the world's leading DDoS mitigation solutions and took them for a spin, uncovering a startling lack of effectiveness in one of tech's fastest-growing industries.

Expected to be worth over £500 million by 2017, DDoS mitigation solutions have become an increasingly lucrative market. This is due to the increased awareness of companies around the danger and real-world cost of DDoS attacks.

High profile targets such as the Home Office (opens in new tab), as well as the rise of DDoS used as a tool of extortion against businesses (opens in new tab), has also caused the threat to be very much on the radar of IT decision-makers.

But are 4 in every 5 companies out there selling snake oil to concerned businesses?

Rob Horton, director at NCC Group said: "Organisations are spending significant amounts of money to protect themselves from DDoS attacks, but our tests show that this is much more than a simple box ticking exercise. Investment doesn't necessarily equal protection."

The problem is largely that traditional network level DDoS often focuses on volumetric styles of attacks. On the other hand, application level (or Layer 7) DDoS employs a targeted approach whereby initial scoping and research of the target site is required to identity weak points.

"When buying DDoS mitigation services, organisations should be careful to ask if they are getting application layer detection as part of the package," Horton told the press.

"In many cases volumetric bandwidth protection alone won't work."

In 2013 the average size of a DDoS attack was reported to be 2.64Gbps (gigabits per second), a significant rise on previous years.

The world's largest ever cyber attack was carried out on a European network (opens in new tab) last month, weighing in at a stunning 400Gbps.

In its wake, Matthew Prince, the CEO of Cloudflare, tweeted (opens in new tab): "Someone's got a big, new cannon... Start of ugly things to come."

Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.