3 Major Limitations of ISP DDoS Protection

Earlier this year, Andorra Telecom suffered a DDoS attack during a Minecraft tournament, taking not only some of the top players offline but cutting off internet service to millions of private and business customers throughout the country. A few months ago, Columbia Wireless suffered DDoS attacks that caused all its customers to face downtime in the middle of a business day.

You might think that an ISP that services millions of customers would have the best DDoS protection in place to protect their customers. On the contrary, their inability to defend themselves in the face of DDoS attacks makes them one of the most popular targets for malicious threat actors, and their customers suffer as a result.

In this post, we’ll explore a few limitations ISPs have when offering DDoS protection to their customers and what organizations can do to minimize their DDoS risk.


1)     ISPs are not always able to detect both higher and lower levels of malicious traffic. 

Since ISPs generally use shared networks and bandwidth for all of their customers, they want to protect their networks at all costs – even if it occasionally means cutting internet services entirely to one of them (i.e. blackholing). As a result, ISPs are mainly on the lookout for volumetric attacks and generally only at a certain rate. They are typically very cautious about blocking lower levels of illegitimate traffic for customers because they don’t want to create possible false positives of DDoS attacks, which would accidentally block legitimate users from internet services.

False positives occur when traffic from legitimate users is falsely identified as attackers. For example, this can happen when a gaming company suddenly hosts a new and widely successful tournament and as a result, their DDoS mitigation product suddenly notices ten times the traffic it used to see. It then marks this traffic as unusual since it was configured to deal with a lower amount of traffic, and the current traffic rates are higher than the configured thresholds. It will then consider the online gaming traffic for the new tournament as an attack and will block all incoming traffic above the learned and configured thresholds.

Learned thresholds are related to AI technology. Usually, when deploying a new DDoS product, time is invested in AI learning how the network operates in peacetime. After some time, baselines are created, and the DDoS mitigation is automatically set to consider a much higher rate as a possible attack.

Make sure your DDoS protection can detect both higher and lower levels of malicious traffic as well as:

• distinguish between illegitimate and legitimate traffic
• protect your organization against new and evolving DDoS attacks,
• adjust to update its protection according to your organization’s network updates

2) Blackholing is a method ISPs use to protect its customers against DDoS attacks.

Though many ISPs offer some form of DDoS protection, it’s usually against volumetric attacks. The main focus of ISPs is to provide internet services to all of their end customers.

In order to ensure internet services to their customer base, many ISPs use a blackholing method for dealing with DDoS attacks. Essentially, it means they disconnect a customer from the internet (i.e. stop publishing its network) if they identify unusually large volumes of traffic that can be considered as a DDoS attack on their infrastructure.

By doing that, two things happen:

1. DDoS attacks can no longer reach the ISPs when continuing to attack a blackholed address
2. The blackholed address stops being available on the internet and therefore, the attackers achieve their goal

Blackholing, or dropping traffic of a specific IP in a network, was what happened to Kiwi Farms this August after the user-generated online discussion forum was targeted by a DDoS attack.


Source: Kiwi Farms website (archive)

Blackholing is one of the methods ISPs use to protect their customers against DDoS attacks. Since attackers know ISPs use this method, they know that they don’t have to put much effort into strong or sophisticated DDoS attack methods. Launching a very high, “simple” DDoS attack traffic results in the ISP blackholing their targeted organization. They’ve achieved their goal regardless: downtime.

You should have full visibility into your organization’s dynamic attack surface with a clear picture of your risk exposure. To achieve this, you must employ a solution that automatically and continuously detects DDoS threats and analyzes and prioritizes remediation across your entire network. Of equal importance is the ability to ensure your mitigation systems are up to date on network configuration changes and all DDoS vulnerabilities as they become available.

3) Most ISPs lack a trusted method for testing the effectiveness of their DDoS protection.

When enterprises rely on an ISP provider for DDoS protection, they rely on the effectiveness of the ISPs’ DDoS solution and operations.

The truth is that DDoS threats are never eliminated due to the dynamic nature of networks and technologies. Newly evolving and changing networks and technologies always mean new possible security risks. That also applies to DDoS threats.

The only way to gain true visibility of your network’s DDoS vulnerability level and understand how susceptible your network is to DDoS attacks is by constantly testing it. The standard way to test your organization for DDoS vulnerability today is with red team DDoS testing.

But these test results don’t adequately reflect your network resilience against DDoS attacks.
Instead, they demonstrate how your cyber security teams respond to a DDoS attack while it possibly suffers from downtime.

How can enterprises ensure that the DDoS protection they have in place is working before they come under attack?

Adaptive DDoS Testing that Delivers Full Attack Surface Coverage

With the success of DDoS attacks, ISP providers need to do everything they can to strengthen themselves against DDoS risk. Regardless of the type of DDoS protection your organization ends up getting, you’ll need to continually test its effectiveness. This is done by continuously checking every attack vector against every target to identify DDoS vulnerabilities with zero operational downtime or maintenance windows, thereby confidently protecting you and your customers against the growing threats of DDoS attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Updated.
Get our Newsletter*

Recent posts

Rapid Reset: the New DDoS Threat

CISA (Cybersecurity and Infrastructure Security Agency) urged organizations that provide critical internet delivery services to immediately apply patches and other mitigations after an internet-wide security

Read More