Cyber security vulnerabilities usually refer to weaknesses in software code that allow threat actors to take advantage of vulnerable programs, web applications, or systems for malicious purposes (also referred to as general vulnerabilities).
DDoS vulnerabilities are different.
General vulnerabilities at some level are a result of software design flaws– not caused by using the systems, web applications, or programs – and each vulnerability can be fixed or patched to completely prevent threat actors from exploiting it. The Equifax cyberattack in September 2017, for example, in which cyber criminals penetrated Equifax and exposed the information of 143 million Americans started by exploiting a known general vulnerability on their website (enumerated as CVE-2017-5638) that Equifax had not patched in time to avoid the attack.
DDoS vulnerabilities are essentially different from general vulnerabilities in that they are not a result of design flaws, they are part of the inherent design of DDoS mitigation.
How is DDoS mitigation inherently vulnerable?
Whether your DDoS mitigation is based on a cloud scrubbing service, on-premise device (CPE) or a hybrid solution, its technology isn’t plug & play like other network devices (e.g. routers, firewalls). It blocks DDoS attacks as long as it’s perfectly configured both on a network level and an IP address level to the underlying network it’s protecting. This is why DDoS mitigation default settings need to be finely configured for each and every network and why two environments rarely share the same DDoS mitigation configurations.
The problem is that once a DDoS mitigation solution is perfectly configured it isn’t designed to automatically adapt to changes in the underlying network it is protecting. Because networks are constantly changing, DDoS mitigation is constantly eroded – opening DDoS mitigation vulnerabilities (i.e. the DDoS vulnerability gap) – through which DDoS attacks can penetrate the network and take services down. Based on hundreds of tests, the average DDoS mitigation solution has an initial 48% DDoS mitigation gap.
DDoS vulnerabilities are not design flaws, but rather an inherent design limitation of DDoS mitigation solutions.
Complementing DDoS Mitigation Solutions
The first step towards closing your DDoS mitigation gaps is identifying them, which is done by testing your DDoS mitigation. The problem is that traditional DDoS testing (sometimes referred to as penetration testing) is extremely disruptive to ongoing operations and usually causes downtime or significant service disruption to ongoing operations. This is why traditional DDoS penetration testing can be done on production environments only during maintenance windows, on average once or twice a year for short 3 – 4 hour periods each, that provide a limited and temporary understanding of your DDoS vulnerability gap. Companies performing Traditional DDoS PT twice a year are able to successfully reduce their DDoS vulnerabilty gap from the initial average of 48% to 32% – effectively leaving them in a constant state of vulnerability to DDoS attacks. (See more in State of DDoS Protection Report)
Eliminating the DDoS Vulnerability Gap
The only way to ensure your DDoS mitigation is configured properly is by gaining continuous visibility of your DDoS vulnerability gap. This visibility complements the inherent shortcomings of DDoS mitigation and allows your DDoS mitigation vendor to fix the ongoing erosion in your DDoS mitigation posture to secure the integrity of your online services.
This is exactly what the next generation of DDoS penetration testing, RADAR testing, does.
MazeBolt RADAR® testing is always-on, constantly testing, and non-disruptive so that it can test against your production environment with ZERO impact on ongoing operations. Organizations now have full attack surface coverage and the ability to eliminate the DDoS vulnerability gap.