Q&A with Matthew Andriani, Global DDoS Expert

There are many DDoS mitigation solutions in the market today. There are also quite a few options for DDoS testing. However, it might surprise security teams to learn that even with the combination of the latest solutions in place, they might not have as secure protection against DDoS attacks as they thought. In fact, even with these testing solutions, more than 99% of their DDoS attack surface has never been evaluated for DDoS vulnerabilities.

• How come there are still so many successful attacks, and could your enterprise be successfully attacked?
• How many DDoS vulnerabilities have been identified and remediated in your environment?
• As a security manager, what do you and your teams need to know to keep your enterprises safe from DDoS attacks?

To better understand the DDoS vulnerability challenge, we asked global DDoS expert and CEO of MazeBolt, Matthew Andriani, for his insights.

Q: You say that DDoS mitigation providers aren’t enough anymore. Why not?

Matthew: From the moment of deployment, the level of DDoS protection degrades as the attack surface changes. The digital footprint of major enterprises is very dynamic and growing; this creates a large attack surface where an attacker can potentially take your organization down through a DDoS attack. Currently, any mitigation system deployed in an enterprise is done with little or no knowledge of DDoS vulnerabilities on the attack surface. The reality is that organizations and their vendors are completely blind to their DDoS mitigation effectiveness and their inherent vulnerabilities.

Q: You say that organizations and their DDoS mitigation vendors are completely blind to their attack surface, what do you mean by that?

Matthew:  I mean over 99% blind. I know that’s a bold statement, but it is what it is. Each organization, for every external public-facing service, has around 150 potential DDoS attacks which could be launched against each of their services. Assuming an organization has just 50 IPs or FQDNs, that’s 7,500 potential attack points for an attacker to exploit and take you down. You only need one vulnerability to be attacked for business continuity to stop. Currently, you have no data to know if attacked that your DDoS protections would work. That’s why attackers are so successful.

Q: Are you saying that DDoS mitigation vendors cannot provide enterprises data on their DDoS vulnerabilities at all?

Matthew: Yes. I encourage any enterprise security manager to go and ask their DDoS mitigation vendor or vendors to disclose all known vulnerabilities for their specific production environment currently being protected. As a bonus, I would ask what measures are in place to identify and remediate all DDoS vulnerabilities for their specific production environment. Then ask to see such a report for the past 12 months.

Q: You sound very confident that the vendor won’t have such vulnerability information.

Matthew: Yes, I am. Because if that information existed, enterprises would not have a successful DDoS attack.

Q: Do you think the DDoS mitigation vendor doesn’t supply any vulnerability information?

Matthew: Correct, not because they don’t want to, but because they cannot. At best, a DDoS mitigation vendor will show logs of attacks that have been blocked, which is meaningless when it comes to enterprises’ existing DDoS vulnerability level. Anyone looking at another area of cyber, for example, at firewalls, understands that “blocked” logs are generated daily and at volume and have no bearing on vulnerability level.

“Assuming an organization has just 50 IPs or FQDNs, that’s 7,500 potential attack points for an attacker to exploit and take you down. You only need one vulnerability to be attacked for business continuity to stop.”

– Matthew Andriani, global DDoS expert and CEO of MazeBolt

Q: You make it sound that DDoS mitigation vendors are ineffective at mitigating DDoS attacks.

Matthew: That’s not the correct takeaway. Most top DDoS mitigation vendors are effective at mitigating DDoS attacks, but only the attacks that are identified automatically by the mitigation platforms and then blocked. However, when an attack is not identified automatically, enterprises have damaging downtime.

Q: How is that possible? I know many enterprises invest in testing their DDoS defenses once or twice a year; why do organizations do that?

Matthew: That’s true. Enterprises do red team DDoS testing. This one-off type of testing cannot assess the vulnerability level of an environment. Essentially, you are training your team’s ability to handle downtime from a DDoS attack. You can maybe cover 25 tests per maintenance session, that’s less than 0.4% of the attack surface assuming you have a 50 IP network only. It is meaningless for DDoS vulnerability understanding.

Q: How likely is it that an enterprise’s network has DDoS vulnerabilities that need to be addressed?

Matthew: It’s almost a certainty. From a decade of evaluating DDoS protection, we have yet to see an environment without vulnerabilities. The vast majority of the environments we have evaluated have anywhere between a 30% and 70% vulnerability level. Think of an enterprise’s attack surface to get a rough idea of how many vulnerabilities a typical enterprise may have.

Q: What about the different DDoS testing options available?

Matthew: You have many testing options available; they are mostly very disruptive with less than 1% of attack surface coverage. Your attack surface constantly changes, it is important to seek out testing options that can test the thousands of potential attack points on your attack surface. It is also important that this testing happens frequently; daily or weekly.

Q: How can an enterprise best maximize the effectiveness of its DDoS security investment?

Matthew: First, use a tool that is able to provide full attack surface coverage by automatically and continuously observing live production environments and testing every attack vector in a controlled manner so as not to disrupt business operations. Second, receive details of your DDoS exposure and recommendations for remediation that can be shared with your mitigation vendor. Lastly, a retest is critical to validate that the remediation was performed completely and correctly.