Akamai Diversity

The Akamai Blog

The DDoS Paradox

According to the Department of Homeland Security, almost 50 US Financial Institutions have suffered more than 200 Distributed Denial of Service attacks since September 2012 . Because we protect the majority of world's biggest banks, asset management firms, and online brokers, Akamai is in the unique position of having witnessed and actively defended against many of these attacks, and can describe the evolution of attack targets as well as attack techniques. 
Over the past few months, we've seen attackers migrate towards two broad techniques:

  1. Request large objects (PDFs, image files, etc.)
  2. Attack non-cacheable pages (login pages, pages served by adwords, etc.)

Security professionals will be neither surprised nor impressed by these findings. Nor will they question that unprotected sites typically suffer increased response times or downtime when they are victim to these attacks. What might surprise them, however, is how the common responses to these threats is leading, in some cases, to increased latency in sites even when they are not under attack, and in some cases are leaving sites more likely to crash or suffer data exfiltration than they were before "preparedness steps" were taken.

The DDoS Paradox
The tendency to tighten rules and broaden inspections to the point of decreasing performance is what we have come to describe as the "DDoS Paradox". The logical thinking that leads to the paradox is as follows:

  1. CSO at Company ABC reads about attacks.
  2. CSO tightens and broadens rules on Web Application Firewall in order to better prepare for attacks.
  3. Tightened and broadened rules lead to increased inspection of incoming requests which slows down legitimate traffic and makes it easier for malicious traffic to flood and knock down the WAF.

The first outcome (slowing down legitimate traffic) is clearly bad for Company ABC, and good for the threat actors who are looking to cause widespread interruptions to economic activity. The second outcome (knocking down the WAF) is unfortunately good for threat actors who are trying to steal data. If they've launched an application layer DDoS attack that knocks down a firewall, they can then move in with a relatively simple SQLi or XSS attack in order to steal data or install malware on site visitors' PCs.  

For companies trying to protect their web assets, the DDoS Paradox presents a lose/lose situation. Fortunately, there are ways around the paradox. Interestingly, these options involve tightening and broadening WAF rules outside of the data center. In other words, tightening and broadening rules at the edge of the Internet is the best way to ensure that your tighter security measures do not inadvertently lead to deprecation in performance and/or an increased susceptibility to data theft.

Akamai's Kona Security Solutions do just that --- they provide inline, always on, and highly scalable DDoS and application layer defense at the edge of the internet, giving CSOs the ability to respond to attacks without suffering trade offs.


Dan Shugrue is a senior product marketing manager at Akamai.