Frequently Asked Questions

Find answers to the most common questions about DDoS and our solutions. If you can’t find what you’re looking for, ask one of our DDoS specialists!

Mitigation of DDoS Vulnerabilities

What exactly are DDoS vulnerabilities, and how do they affect my organization?

DDoS vulnerabilities are weaknesses or misconfigurations in your network infrastructure that can be exploited during a DDoS attack. These vulnerabilities allow attackers to overwhelm your systems with traffic, causing downtime and disrupting services. Identifying and addressing DDoS vulnerabilities is critical because even a brief outage can lead to significant financial loss, reputational damage, and operational disruption for your organization. 

How can an organization identify potential DDoS vulnerabilities in an existing network?

The best way to identify DDoS vulnerabilities is through continuous DDoS testing, which assesses your network for any weaknesses that could be exploited in an attack. Traditional DDoS protection solutions do not offer continuous DDoS testing; instead, they provide periodic assessments – typically, a couple of times a year. In contrast, MazeBolt’s RADAR platform performs non-disruptive DDoS simulations on live environments, helping to uncover DDoS vulnerabilities in your defense layers. This proactive approach allows you to identify and fix weak spots before they can be exploited by real attackers.  

Why do some organizations still experience DDoS attacks even with robust DDoS protection solutions in place?

Many organizations rely on static or outdated DDoS protections that may not adapt to evolving attack methods. Misconfigurations in DDoS defenses or gaps in coverage can leave your systems exposed. Additionally, without continuous DDoS testing, new vulnerabilities can emerge unnoticed. MazeBolt’s RADAR solution ensures continuous DDoS vulnerability management to keep your defenses strong and up to date, reducing the risk of an attack. 

What makes continuous DDoS vulnerability testing better than periodic red team assessments?

Periodic red team assessments: 

  • Require a maintenance window, i.e., involve downtime 
  • Do not cover the full attack surface, as that would take too long (and require too much downtime) 
  • As testing typically takes place about once a year, vulnerabilities end up cropping up between tests – as network changes are common and attackers find new ways to penetrate 

In other words, because periodic assessments leave gaps between tests, organizations are left vulnerable to the new DDoS vulnerabilities that arise. In contrast, continuous DDoS testing ensures that your network is regularly monitored for weaknesses and provides ongoing protection. MazeBolt’s RADAR platform works in real time to identify, report, and help remediate vulnerabilities, ensuring your organization is always prepared to defend against new and evolving DDoS threats. 

How does MazeBolt’s RADAR platform help in reducing DDoS vulnerabilities?

MazeBolt’s RADAR platform runs thousands of non-disruptive attack simulations, finding weaknesses across all defense layers. By continuously monitoring and updating your DDoS protections, RADAR ensures that your organization remains resilient to DDoS attacks, reducing the likelihood of downtime and service disruption. 

Understanding DDoS Attacks

What is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack refers to a malicious player that disturbs the regular flow of traffic to a specific server, service, or network. This disruption is caused by inundating the target or its connected infrastructure with excessive Internet traffic. DDoS attacks are harnessed by utilizing numerous compromised computer systems as sources of the attacking traffic. These compromised systems can encompass traditional computers and other interconnected resources like Internet of Things (IoT) devices. 

At a conceptual level, a DDoS attack bears resemblance to an unanticipated traffic congestion that congests a highway, impeding the regular progression of traffic towards its intended destination. 

One of the primary challenges in identifying a DDoS attack lies in the familiarity of its symptoms. Many of these indicators closely resemble the experiences of regular technology users, such as sluggish upload or download speeds, websites becoming temporarily unavailable, intermittent internet connectivity, unusual content or media, or an upsurge in spam. Additionally, the duration and intensity of a DDoS attack can vary significantly, ranging from a few hours to several weeks. This is what is referred to as downtime. 

DDoS attacks are executed through networks comprising interconnected, Internet-enabled machines. These networks encompass computers and various devices (including Internet of Things devices) that have been compromised by malware, enabling remote control by an attacker. These individual compromised devices are termed “bots” or “zombies,” while a collection of such bots forms a “botnet.” Once a botnet is established, the attacker can orchestrate an assault by issuing remote commands to each bot within the network. 

Upon targeting a victim’s server or network, each bot within the botnet sends requests to the target’s specific IP address. This onslaught of requests has the potential to overwhelm the server or network, resulting in a denial of service for legitimate traffic. The intricacy arises from the fact that each bot in the botnet is a genuine internet-connected device. Thus, distinguishing between the malicious attack traffic and the normal traffic becomes a complex task. 

How do DDoS attacks target the critical layers of a website's infrastructure?

Distributed Denial of Service (DDoS) attacks aim to disrupt the normal functioning of a website by overwhelming it with a flood of internet traffic. These attacks target various critical levels of a website’s infrastructure, exploiting vulnerabilities in different components to render the website inaccessible to legitimate users. Here’s how DDoS attacks target these critical levels: 

  • Network Layer (Layer 3) – At the network layer, DDoS attacks, such as IP/ICMP floods, aim to consume the bandwidth available to the target network. By sending massive amounts of data packets to the network, attackers can saturate the bandwidth, causing legitimate requests to be dropped or significantly delayed. This level of attack can prevent access to websites hosted within the network. 
  • Transport Layer (Layer 4) – DDoS attacks at the transport layer, such as SYN floods, exploit the TCP handshake process. Attackers send a flood of TCP/SYN requests with spoofed IP addresses to the server, which then allocates resources and waits for the acknowledgment that never comes. This can exhaust the server’s resources, making it unable to process legitimate requests. 
  • Application Layer (Layer 7) – Application layer attacks, such as HTTP floods, directly target the web application itself. These attacks mimic legitimate requests but are sent in such high volumes that the web servers or application resources (such as CPU and memory) become overwhelmed. Since these attacks mimic normal traffic, they can be harder to detect and mitigate. They can target specific website features, such as search functions or login pages, to consume more server resources. 
  • Infrastructure Components – DDoS attacks can also target specific infrastructure components critical to the website’s operation, including: 
Component  Impact of DDoS Attack 
DNS Services  By targeting DNS services with a flood of requests, attackers can prevent the resolution of domain names into IP addresses, making the website inaccessible even if the web servers are operational. 

 

Load Balancers  Overwhelming load balancers can prevent them from distributing traffic efficiently, causing service degradation or total failure. 

 

Data Centers and ISP Connectivity  Attacking the infrastructure hosting the website or its connectivity to the Internet can isolate the website from its users. 

 

RADAR Testing

Does MazeBolt RADAR testing require a maintenance window like traditional Red Team testing?

No. RADAR™ testing is based on a revolutionary, patented, non-disruptive DDoS testing technology that has ZERO impact on ongoing operations. It is an automated solution that runs on live production environments at pre-scheduled time periods. 

Does MazeBolt RADAR testing use real DDoS attacks?

Yes. RADAR testing checks production environments automatically against over 140 types of DDoS attack vectors, from layers 3 (network), 4 (transport), and 7 (Application) attacks. 

Does MazeBolt RADAR testing eliminate the DDoS vulnerability gap?

RADAR testing assists organizations in identifying and continually eliminating their DDoS vulnerability gap – bringing it down to as little as 2%. 

What do your professional services offer?

MazeBolt’s professional services include some of the top DDoS experts worldwide. Many of them joined MazeBolt with backgrounds working for other leading DDoS mitigation companies. MazeBolt’s professional services include – 

  • High-touch customer support – MazeBolt’s professional services allow our customers to focus on their business, using our experience in DDoS mitigation to assist in liaising with DDoS mitigation vendors. We make closing vulnerabilities a painless process and are with you every step of the way. 
  • Deep domain experience – Our DDoS experts come from leading DDoS mitigation companies and have worked with over 100 enterprise organizations consulting on vendor remediation, real-time attack analysis, and deep DDoS architecture planning and implementation. 
  • The liaison with your DDoS mitigation company – Our team will guide your remediation efforts with your DDoS mitigation vendors. If required, our professional services can also help plan new architectural changes. 
  • Customized attack simulation vectors – If your organization requires specific attack vectors for proprietary reasons, MazeBolt can design and implement your required attack vectors and add it to your RADAR™️ testing platform. 

How many DDoS tests does RADAR testing run in a year?

MazeBolt RADAR testing can run from 50,000 to hundreds of thousands of DDoS attack simulations a year. It can do this comfortably because it is a patented technology that is non-disruptive to IT operations. Business continuity is maintained during RADAR’s DDoS attack simulations. 

How does MazeBolt remediate the vulnerabilities it finds during testing?

MazeBolt provides remediation guidance & planning. Every DDoS vulnerability discovered by RADAR has all the data required to close the gap by fine-tuning relevant DDoS mitigation policies. For example, RADAR logs the volume of attack simulations sent and attack traffic received, together with other important reporting parameters. This information allows the DDoS mitigation vendor to implement an optimized policy change for each vulnerability discovered.  

How does MazeBolt RADAR’s non-disruptive testing work?

RADAR outlines the steps of DDoS mitigation, including identification, response, and routing, to differentiate between legitimate high-volume traffic and attacks.  

Despite the deployment of sophisticated mitigation solutions, companies typically face a 48% DDoS vulnerability level. This is primarily because these solutions are reactive rather than proactive. RADAR provides continuous, non-disruptive testing across all OSI layers to identify and help remediate DDoS vulnerabilities before an attack occurs. RADAR simulation reports are used by security teams and mitigation partners to remediate DDoS vulnerabilities.  

How often does RADAR provide reports about DDoS Vulnerabilities?

Two types of reporting are available: continuous and on-demand. A DDoS Vulnerabilities (or DDoS Mitigation Gaps) report can be generated at any time. MazeBolt refers to this as a Vendor Report. Additionally, MazeBolt’s customers receive a quarterly, executive report with high-level risk quantification and reduction recommendations. 

What de-bugging information do MazeBolt’s Vendor Reports include, for the DDoS Mitigation Gaps identified?

RADAR Vendor Reports include a comprehensive picture of what took place during a particular DDoS attack simulation. For example, on a per attack simulation basis, the vendor can see: 

  • Duration of DDoS attack simulation 
  • Rate of DDoS attack simulation 
  • Cumulative attack simulation traffic sent 
  • Cumulative attack simulation traffic received 
  • Target response monitoring during DDoS attack simulation 
  • Graphical illustrations of charting during attack simulation 
  • Knowledge base article on attack simulation with a Packet Capture (PCAP) example of an attack 

Do MazeBolt RADAR customers have access to low-level DDoS vulnerability reporting?

Yes. The RADAR testing platform user interface has a wealth of information on all DDoS attack simulations, for example: 

  • Where there are 200,000 illegal packets of an IKE Phase 1 flood: 78% of the traffic that is sent, penetrates the Scrubbing Center 
  • Where there are 5,673,562 kilobits of an URG-ACK-SYN flood: 83% of the traffic that is sent, penetrates the on-prem. DDoS mitigation devices 
  • During a GoldenEye HTTPS attack: 24,000 connections are successfully created that penetrate the CDN 

How long does each MazeBolt RADAR testing cycle run for?

  • The RADAR testing cycles (for each IP address or FQDN) normally run between 4 and 8 hours daily. 
  • RADAR testing automatically moves on to the next IP or FQDN address until a company’s entire DDoS attack surface has been tested against all currently known DDoS attack vectors. 

What are the sizes of the attacks that MazeBolt RADAR testing runs?

Generally speaking, DDoS attacks start at a default of 25 Mbps (for Layers 3 & 4) and work their way up to a maximal bandwidth of 500 Mbps. This may vary depending on the DDoS mitigation vendor SLA. 

What data from the network traffic does MazeBolt RADAR testing monitor?

RADAR testing reads the metadata generated from RADAR testing nodes. All other traffic is ignored. Customers receive a full security spec of metadata collection and other security standards in effect. 

Does MazeBolt RADAR testing read Personally identifiable information (PII)?

No. RADAR testing does not read PII. 

Does MazeBolt RADAR testing decrypt traffic?

This depends on the DDoS protections deployed: 

  • If RADAR testing is validating CDN-based protections, yes, the RADAR detector will require the ability to read the X-Forward-for header (or similar). 
  • For DDoS protections which do not traverse a CDN, no. For example, for the scrubbing center, ISP protections, and CPE, decryption is not required. 

What meta data from the packets is used by the MazeBolt RADAR testing detector?

MazeBolt identifies simulated attack traffic by looking for and filtering the traffic’s source IPs. In a default configuration, we only capture traffic originating from MazeBolt source IPs.  

For CDN-based traffic, this will turn the RADAR detector into a mode whereby we begin capturing all traffic, identifying the true source IP in the X-Forward-For header, and then using those statistics to send out. It is important to note that we only send out traffic statistics, and NO PII information or any other data other than TCP-related data, which is sent out via our secure API (which uses 2-factor authentication and only communicates with our data center). 

Can MazeBolt RADAR test more than one DDoS mitigation solution?

RADAR can test hybrid DDoS mitigation deployments simultaneously. 

Which targets in the customer network are tested against, to identify gaps in DDoS mitigation?

  • System users add the network to be validated by RADAR testing. These network IPs are then automatically and continuously verified for DDoS mitigation gaps. 
  • FQDN names or specific IPs can also be added manually to the system. 

What requirements are there for MazeBolt RADAR testing deployments?

RADAR testing requires a TAP (Mirror) Port immediately downstream from each DDoS mitigation solution. 

What parameters are needed to determine which TAP port a company requires?

  • The ongoing concurrent traffic rate 
  • Visibility of all traffic – toward the targets that are going to be tested

Red Team DDoS Testing

Does MazeBolt offer Red Team DDoS testing?

Yes, we do, but only for RADAR testing customers. We do not offer standalone Red Team DDoS testing. 

Haven’t found the answer you were looking for?