If you’re one of the few organizations or website owners that don’t know first-hand how serious a threat DDoS attacks are becoming, then take it from cybersecurity professionals. As the problem continues to spiral, cybersecurity professionals as well as website owners and perhaps even governments, are looking to ISPs (Internet Service Providers) to offer better protection. However, with the size, volume, frequency and complexity of DDoS attacks constantly evolving and the immediacy of the threat for any website on the Internet, is counting on ISPs to up their mitigation game really the best strategy?
Major Internet outage hits New Zealand
In September 2021, parts of New Zealand were cut off from the digital world after Vocus - the country’s third-largest ISP was hit by an aggressive DDoS attack. It turns out that the outage was caused by a DDoS mitigation rule change, disrupting the service to a range of Vocus customers. Vocus' response to the cyber onslaught may have had a knock-on effect resulting in the 30-minute outage across the country, including the bigger cities of Auckland, Wellington and Christchurch.
In the aftermath of the attack, Vocus needed to work closely with its specialist DDoS protection vendor to understand how and why this attack occurred. This case further serves to highlight that ISPs aren’t always sufficiently equipped with the necessary skills and experience to combat complex cyber-attacks and that customers when deciding on an ISP should make sure they know what they’re letting themselves in for when it comes to the level of DDoS protection being offered.
ISP Protection and Limitations
If there’s one thing nearly all security professionals and network operators can agree on, it’s that they’re looking to ISPs to provide better DDoS protection, namely blocking attack traffic before it reaches the networks of targeted websites. Were ISPs able to provide this kind of protection as a managed service then that would be great - however, the built-in DDoS protection currently provided by ISPs is incomplete at best. While ISPs are equipped with appliances and sufficient bandwidth, they can offer effective protection against volumetric attacks, but advanced attacks such as Bit-and-Piece Attacks crafted specifically to take down an ISP or application-layer attacks are often stumbling blocks.
Blocking traffic indiscriminately cuts off legitimate users
ISPs are good at identifying malicious traffic, but their downfall lies in dealing with that traffic. An ISP’s attempt to block malicious traffic often results in a bottleneck that drops legitimate traffic as well resulting in a DDoS-like environment in which a website’s users can’t reach the website anyway.
Traditional ISPs do not protect against protocol and other advanced DDoS attacks
Not only is a basic ISP service almost completely ineffective at protecting against protocol attacks, and advanced DDoS attacks such as pulse-wave attacks and multi-vector attacks, it is also inept at detecting DDoS attacks made up of seemingly legitimate requests such as the Slowloris and RUDY (R U Dead Yet?).
Cybersecurity is not always an ISP’s core business
DDoS attacks have marked characteristics, and formulating ways to nullify their impact on customers requires the specialized expertise of an accomplished MSSP (Managed Security Service Provider) or security solution provider. A good MSSP will stay up to date with new attack vectors and trends and have an arsenal of tools at their disposal to stay on top of today’s ever-changing threat landscape.
Professional DDoS Protection
Specialist Security Solution Providers and MSSPs are in the best position to block DDoS traffic since they can filter it out closer to the source and at a much larger scale, avoiding the need to blackhole attacks or divert them to a third-party cloud for scrubbing. A Managed DDoS service makes a lot of sense for ISPs especially since they may not always be equipped with the skills and know-how to handle complex attacks.
Given that the current landscape of increased Internet dependence is driven by the ongoing pandemic and directly affects the vulnerability of the telecommunications industry, there has never been a more pressing need for ISPs to look into rolling out DDoS protection measures.
Recognising today’s challenges and how ISPs have frequently fallen victim to cyber-attacks over the past year, Nexusguard offers ISPs a cost-effective alternative to traditional appliance vendors under its Transformational Alliance Program (TAP100).
For ISPs looking to launch a managed DDoS protection service, the program comes with over 10 pre-productized managed security services designed to protect customers across a wide range of industries with specific business and technical requirements.
Furthermore, partners can rely on Nexusguard’s experienced SOC that provides help and support with attack handling, incident management, reviewing security policies, round-the-clock monitoring of new attack vectors, escalations, and more
For more information on Nexusguard’s TAP100 program, visit https://www.nexusguard.com/tap100.