Downtime and Mitigation Gap

Downtime of IT Production systems

Has your organization ever experienced DOWNTIME?

Has this ever been displayed on the screen when customers tried to access services?

As the CTO, CIO, CISO, CSO or other Technology Officer, who has gone through this, you know how painful it is to bring the production systems back up after any downtime.

Primary causes of Downtime are:

System design errors or bugs: this is internal to the organization and is continuously addressed or taken care of by the design or dev-ops teams.

DoS (Denial of Services) or DDoS (Distributed Denial of Service) attacks: come with malicious intent and need preventive measures to ensure that downtime doesn’t occur because of DoS or DDoS attacks.

Downtime means a loss of revenue and a loss of customers for any organization that operates online.

DoS vs DDoS Attacks

What is a DoS attack?

DoS attacks are where a few compromised systems, are used to target a single “Internet facing” IT system (It can be servers, devices, services (HTTP/HTTPs), networks, applications), with the intent to make the victim IT services unavailable.

For Example: if a website has a DoS attack launched against it and the DoS attack is successful, that website will not be available for users to connect to.

What is a DDoS attack?

DDoS attacks are the same concept as DoS attacks, however, attack traffic originates from many different sources – potentially thousands or more.

These attacks are nastiest because they come from thousands of sources making it difficult to stop by simply blocking a single source. It is also very difficult to distinguish legitimate user traffic from attack traffic.

How DDoS Attackers Cause Downtime

Attackers Advantage - The Large "DDoS Attack Exposure Surface"!

There are thousands of potential DDoS vulnerabilities to exploit in any IT infrastructure. These vulnerabilities are referred to as “DDoS Mitigation Gaps”.

For example: With reference to Figure 1.0, if a company has ~100 IP addresses operating online then the attack surface would be 100 (IP addresses) x 100 (vectors) = 10,000. Hence in this case ~10,000 potential DDoS Mitigation Gaps for an attacker to exploit.

Production environments are continuously changing and the DDoS Mitigation Gap is continually expanding and contracting, based on factors like:

  • Adding/removing services
  • Updating DDoS mitigation policies
  • New and improved DDoS attack vectors
Vector_Smart_Object (50)

Preventing Downtime Caused by DDoS attacks

  1. Continually Identify DDoS mitigation Gaps before attackers target them.

Potential Solutions:
A / Human and Procedural handling - Red Team Testing
B / DDoS Vulnerability identification and elimination - DDoS RADAR™

  1. Continually Mitigate (Fix) all identified DDoS Mitigation Gaps.

Potential Solutions:
There are several excellent DDoS mitigation providers E.g. Arbor, AKAMAI, A10, F5, Radware, Reblaze, NeuStar and many more.

In order to prevent Downtime from DDoS attacks, you need to know where the DDoS Mitigation Gaps are.

Identifying DDoS Mitigation Gaps

There are 1000’s of potential DDoS Mitigation Gaps in all organizations whose business operations are online.
A single DDoS Mitigation Gap if not mitigated will result in Downtime when attacked by the right DDoS attack vector.
There are currently two options available to identify DDoS mitigation Gaps:

Vector_Smart_Object (53)

Red Team DDoS Testing (Traditional DDoS PT)

Traditional DDoS penetration testing simulates attacks in a controlled manner to test how you respond to a successful DDoS attack.

It typically needs a maintenance window (for expected downtime) of at least 3 hours to test the pre-decided systems. A platform to simulate the multiple DDoS attacks is used with a varied intensity of low, moderate and high rate packets. The spectrum of attack vectors covers HTTP/HTTPS, Application, DNS, IP Floods, UDP Floods, TCP Floods and many more.

Once the testing is complete, a comprehensive report is generated that guides where to improve the response team handling and procedural readiness. 

Any kind of Traditional DDoS PT (Penetration Testing/ PenTest) requires

  • Predefined attack surface coverage (maximum 5 IPs).
  • Maintenance window of at least 3 hours is required.
  • Systems are generally tested a maximum twice a year, as testing demands maintenance window
Vector_Smart_Object (54)

DDoS RADAR™

DDoS RADAR™ is the only automated & 24x7 ongoing DDoS Mitigation Gap Detection which is non-disruptive to IT production systems.

RADAR™ identifies an organization's entire DDoS attack exposure surface regularly with tens of thousands of attack simulations. RADAR™ generates reports for those responsible for closing the DDoS Mitigation Gap and friendly KPIs to manage the DDoS Mitigation Gap closing process. In short, RADAR™ advances the existing mitigation solution to reduce the DDoS mitigation gap exposure surface to as low as 2%.

DDoS RADAR™ advances your DDoS mitigation significantly by transforming the way you prevent downtime from DDoS attacks

  • Complete attack surface coverage, RADAR™ ensures all your assets (1000's of IPs) are protected against DDoS attacks.
  • The only automated and Continuous 24/7 DDoS Mitigation Gap detection.
  • The patented DDoS RADAR™ technology is Non-disruptive to ongoing production system operations

Red Team Vs. Mitigation Vs. RADAR™

Description
Very high chance of Downtime during attack YES 48% Chance NO
Testing frequency About twice a year N/A Continuous
DDoS attack vectors checked per target Less than 20 N/A More than 100
How many target IP's tested - Against all attack vectors Sample - Under 5 IP's N/A Complete - Over 1000 IP's
Vulnerability gap average 48% 48% Under 2%
Vulnerability reports Per test NO Continuous - Daily
Cost $ $$$ $$
Attack response N/A Reactive when an attacks happens Continuous before an attack happens
Detection of successful attacks Sample detection only - At time of test - time of test only Partial detection - during attack Full detection - Before an attack & continuous
Added costs for Red Team testing - On Demand YES N/A NO
ISO 27001:2013 - Certified Information Security Management System
Maze Bolt Receives Funding From European Union's Horizon 2020