DDoS attacks against businesses and Internet Service Providers are one of the major security challenges of the 2010s. Recent surveys have shown that nearly half of all organizations have undergone at least one attack, and that 75% of those targeted have suffered multiple DDoS attempts, with 10% of them attacked every week. The average cost per attack in both IT expense and lost revenue is an amazing $40,000 per hour, according to research done by one major content delivery network platform.
In the wake of this ever-increasing threat to businesses, the security research firm NSS Labs has tested six leading DDoS protection systems on three important metrics: performance, effectiveness and cost of ownership. The full results are only available to the company’s clients, but there are some interesting insights into the subject of DDoS protection revealed by the summary of the NSS Labs report.
Network Applications Are a Key Pressure Point
The research confirmed what many IT professionals already believed to be true: more DDoS attacks than ever are targeting applications located inside networks belonging to enterprise organizations, and applications are more vulnerable than the targets of traditional protocol and volumetric attacks. Protocol attacks overwhelm server resources, load balancers and firewalls through methods such as fragmented packet attacks and SYN floods, while volumetric attacks consume the target’s bandwidth, primarily with spoofed-packet traffic that comes in floods.
Application attacks are slower, more “legitimate-appearing” floods of traffic aimed at vulnerabilities in server operating systems or repeated and continuous GET/POST requests, so they don’t necessarily trigger DDoS protection designed for more traditional types of attacks. The NSS report found that the six systems tested were able to block protocol and volumetric DDoS attacks at rates around 95%, but were only 80% effective against application attacks.
Effectiveness, Performance Impact and Total Cost of Ownership
There was an enormous difference in the overall effectiveness of the six products tested; the best product according to this metric provided overall security of 90.4%, while the lowest-testing one was only 48% effective against all forms of DDoS attacks.
Fighting off DDoS attacks can use a lot of network resources, thereby lowering the performance of the overall system. As measured by NSS Labs, the average impact of an attack on the six tested solutions was an 11% drop in network performance; the best product only lost 0.4% in performance, while the worst saw a 40.5% loss in overall network performance.
The “price” of the tested DDoS protection systems varied considerably as well. The average total cost of ownership was measured at $21 per protected megabit/second, but ranged from a low of $4 to a high of $84 per mb/s, depending on the solution.
Who Did Best?
Since this was a private test with results only available to NSS Labs clients, the company didn’t provide individual results for the six DDoS protection products it included in its tests, which are provided by Arbor Networks, Coreco, F5, Fortinet, Huwai and Radware. Companies that don’t wish to own their own hardware can look into solution provided by companies like Incapsula, Cloudflare and for those who are seeking both in house and remote protection, Psychz will be more suitable because they offer both DDoS protection & remote DDoS protection.
However, three of the products received a “recommended” grade, and Coreco, Fortinet and Radware have all publicly announced that they earned that honor. That makes it easy to tell which solutions did not pass the NSS Labs tests.