The increase in frequency, duration and strength of distributed denial of service (DDoS) attacks has brought mitigation solutions back to the forefront of the cybersecurity discussion. In this post we discuss a very important, yet often overlooked, aspect of BGP-enabled DDoS protection—time to mitigation.

In a perfect world, DDoS mitigation begins immediately at the first sign of incoming attack traffic. But in the real world, BGP-enabled mitigation solutions take time to kick in.

Your “time to mitigation” is the period from when the first malicious packets arrive at your doorstep to when they start being scrubbed by your DDoS mitigation provider. This is also when your infrastructure is at its most vulnerable. The longer the delay, the more likely the attack is to succeed. Once it does, you’re at the point of no return because your service is already down.

With the average cost of DDoS downtime amounting to $40,000 per hour, that extended time to mitigation may end up costing your organization tens of thousands of dollars in lost business and damaged reputation. Perhaps even hundreds of thousands, if it takes your service several hours to fully recover.

This is why your time to mitigation so important. However, it’s rarely discussed, as service providers are reluctant to reveal concerns about their product. Often it falls on you, the client, to raise the subject during a sales call—or learn about it later, during a full-on attack.

What Influences Time to Mitigation

There are several steps that must be taken before a BGP-enabled DDoS mitigation service can start blocking malicious incoming traffic. Estimating how long it takes for you and your provider to take these steps will help determine your approximate time to mitigation.

Optimal time to mitigation timeline

The three questions outlined below will help you gauge the time it will take you to mitigate an attack and provide useful information as to what you can expect when one takes place.

1. How fast can you identify an attack?

DDoS assaults are often not immediately noticeable. Most start slow, ramping up over time as they overwhelm a network with growing amounts of traffic.

Companies operating their own 24×7 network operations centers (NOC) notice these traffic increases fairly easily. However, even when detected, there is always some degree of uncertainty about the nature of the traffic. This is because the influx can be also attributed to organic changes in traffic flow (e.g., successful marketing or PR campaigns).

The situation is direr for businesses that do not have the resources to run their own NOC. They typically don’t notice an attack is underway until a client notifies them of connection issues, or their uptime checker reveals that their site is down. In both cases, it’s too late.
Example of a DDoS attack's progression

An example of a DDoS attack’s progression.

In the end, your ability to rapidly identify assaults depends on the existence of an always-present monitoring mechanism that can inspect each incoming packet and sort out DDoS traffic (e.g., by looking at its size, header, IP data).

Being a “practice what you preach” company, Imperva Incapsula offers an alerts monitor to supplement our BGP-enabled Infrastructure Protection service. With it, our customers can recognize DDoS traffic buildup from the onset.

2. How quickly can you activate your mitigation service?

After confirming that an attack is taking place, the next step is to activate your mitigation service.

The activation time varies depending on your service provider’s policy. Do you need to communicate with your provider to activate its service? This is the single most-important question to ask.

If yes, activation delay is likely to be more significant, simply because more human interactions are involved. Verify that your contract includes 24×7 support and has a maximum response time clause.

You should expect your provider to offer a self-activation option. Otherwise you’ll waste precious time on the phone—just as attack traffic starts building up.

3. How quickly can the service start scrubbing?

After activation, your service has to analyze traffic flow before it can start scrubbing, wasting precious time. This duration depends on the processing capabilities of its mitigation hardware and filtering software. Inquire about these, or at least get a general idea about how long it takes for scrubbing to commence.

Improving on this metric was one of the main reasons for the development of the Incapsula Behemoth scrubbers, each of which can process 100 Gbps of data per second and can start filtering out packets within seconds.

An Always-On Solution

Traditionally, BGP solutions only offer on-demand protection—they need to be manually activated once an attack is identified.

Incapsula is looking to change that scenario with IP Protection—a new service that provides the same quality of defense as BGP solutions to customers who do not own an entire C Class Subnet.

IP Protection is a DDoS mitigation service that can be configured to be always-on, with no server performance impact. And best of all, it can be deployed to protect individual IPs—not just entire subnets.

While IP Protection is currently in beta mode, it’s in an advanced development stage and is already used by dozens of our clients.

To learn more about IP Protection and to apply for its beta program, email us at: ip.protection.beta@incapsula.com.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com