Skip to main content

82% of DDoS protection has no effect

As much as 82 per cent of solutions billed as protecting against or mitigating the effects of distributed denial of service (DDoS) attacks actually offer little to no protection, according to a new study.

NCC Group's DDoS Testing exercises took some of the world's leading DDoS mitigation solutions and took them for a spin, uncovering a startling lack of effectiveness in one of tech's fastest-growing industries.

Expected to be worth over £500 million by 2017, DDoS mitigation solutions have become an increasingly lucrative market. This is due to the increased awareness of companies around the danger and real-world cost of DDoS attacks.

High profile targets such as the Home Office, as well as the rise of DDoS used as a tool of extortion against businesses, has also caused the threat to be very much on the radar of IT decision-makers.

But are 4 in every 5 companies out there selling snake oil to concerned businesses?

Rob Horton, director at NCC Group said: "Organisations are spending significant amounts of money to protect themselves from DDoS attacks, but our tests show that this is much more than a simple box ticking exercise. Investment doesn't necessarily equal protection."

The problem is largely that traditional network level DDoS often focuses on volumetric styles of attacks. On the other hand, application level (or Layer 7) DDoS employs a targeted approach whereby initial scoping and research of the target site is required to identity weak points.

"When buying DDoS mitigation services, organisations should be careful to ask if they are getting application layer detection as part of the package," Horton told the press.

"In many cases volumetric bandwidth protection alone won't work."

In 2013 the average size of a DDoS attack was reported to be 2.64Gbps (gigabits per second), a significant rise on previous years.

The world's largest ever cyber attack was carried out on a European network last month, weighing in at a stunning 400Gbps.

In its wake, Matthew Prince, the CEO of Cloudflare, tweeted: "Someone's got a big, new cannon... Start of ugly things to come."