DDoS mitigation is presenting new opportunities for B2B service providers thanks to EU's NIS Directive

Awareness of DDoS attacks and their potentially devastating effects is rising in businesses across the globe, with 83% of organisations surveyed by security vendor Corero saying they’re more concerned about DDoS attacks in 2018, largely because of new challenges such as unsecured IoT devices.
In the Digital Economy businesses are becoming ever more vulnerable to the effects of DDoS attacks, as they place more core services in the Cloud and seek to transact online. At the same time, due to the always-on nature of the Digital Economy they cannot afford or tolerate outages. A DDoS attack may mean a business cannot function or is unable to provide services to its customers – at least at the expected level of service.
Already in H1 2018 we’ve seen:

  • The discovery of the “JenX” DDoS-for-hire thingbot1, which allows you to hire a 300Gb/s DDoS attack for $20.
  • A world record attack on GitHub, which F5 reported peaked at 1.3Tbit/s.
  • A US service provider suffering a 1.7Tbit/s attack the week after, according to =Arbor.
  • Kapersky reporting that in Q1 2018 the longest DDoS attack they recorded lasted 297 hours (12 days)
  • Protonmail reporting a sustained 500Gbit/s attack that caused its DDoS mitigation provider Radware to have make adjustments to deal with it
  • Verisign revealing that there was a 53% increase in the number of attacks, as well as a 47% increase in the peak size of attacks, compared to Q4 2017
  • A co-ordinated attack against CSPs providing services to Blizzard Entertainment saw players of Overwatch, Heroes of the Storm, World of Warcraft and others, with the impact felt for an entire weekend.
  • Ubisoft announcing it would compensate players of For Honor, who were impacted by a DDoS attack which affected server latency and connectivity. Other Ubisoft games were also affected
  • A DDoS attack on Danish rail company DSB that made it impossible for customers to purchase tickets. This followed an attack on Swedish Railways in October 2017 that took out their ‘train ordering system’ (ie the system that schedules trains on the network) for two days.

According to Corero’s Sean Newman, attacks are not only becoming bigger but also, at the same time, more sophisticated. Such attacks demonstrate greater knowledge of the applications being targeted and how to disrupt them.
“Attacks are increasingly looking to overwhelm a specific resource, such as a VoIP server, and can be highly targeted and precise,” he says. Newman says Corero has been warning for years that smaller attacks were largely going unnoticed and untackled, with service providers and enterprises focusing on mitigating just the biggest attacks, while tolerating a certain level of anomalous and unbilled traffic in their networks. “DDoS isn’t just an intermittent problem, it’s continually sapping at organisation’s resources and core services,” says Newman. “Our customers experience 7 such attacks a day on average, 71% of which last less than 10 minutes and 96% are less than 5Gbit/s in size.” (see Corero’s DDoS Trends Reports)
Awareness is now growing, however, that size is not everything when it comes to DDoS, and smaller attacks can be just as problematic as giant brute force attacks. “Identifying and tackling the big, obvious attacks can actually be easier than dealing with the smaller attacks,” says Newman. “Even seeing the smaller attacks requires a different approach.”
Newman points out that anomalous traffic and small DDoS attacks consume resources – meaning that CSPs need to upgrade networks to prevent congestion, even though a proportion of traffic is unbilled and anomalous. This traffic acts like fur in the pipes, meaning that less bandwidth is available for legitimate traffic and requiring CSPs to add more capacity earlier than necessary.
What does DDoS mean for B2B telecoms providers?
Some B2B service providers are already in the game of scrubbing traffic for their customers. CenturyLink, for example, bought Black Lotus back in 2015 and has deployed SOCs within all the regions it operates. Keeping its network secure has long been a key selling point.
For B2B service providers tackling certain key verticals, DDoS is potentially a big story to sell to the enterprises they serve – particularly those with latency-sensitive services (eg financial services, gaming companies etc) or ones that have a low tolerance for downtime of key services (eg financial services, healthcare, public sector). The need to have capabilities to manage smaller, more targetted attacks, and not just giant brute force attacks, is an important idea to take to customers.
According to Corero the accelerating factor here is the implementation into law (10 May 2018) of the EU’s NIS Directive. This states that operators of essential services “must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies”.  The NIS Regulations come not with a carrot, but a big stick fine of £17million for those that are non-compliant. This extends the targets for this type of product into transport firms, public sector organisations, utilities (power, water, sewerage) and even to smart cities, with Corero’s research revealing that 51% of such organisations are potentially vulnerable to small and short duration DDoS attacks.