The Scale of DDoS: Choosing the Right DDoS Protection


As the name suggests, a Denial of Service attack is designed to deny access to some service, to legitimate users. This can be accomplished in a variety of different ways – some attacks take advantage of some bottleneck or flaw in an application to take it offline in a relatively inexpensive manner, while other attacks take advantage of the fact that the response to some traffic (like DNS) is larger than the request.

A Distributed Denial of Service (DDoS) attack takes the approach of using multiple different devices to perform an attack. Logically, ten computers can handle more connections than a single one, so they can disable it if they focus their efforts on it. The poor security of Internet of Things (IoT) devices and the growth of botnets have made this a popular (and cheap) option for attackers.

When considering how best to invest in DDoS protection, it’s important to know how big the threat is. Will an appliance with the ability to handle 100 Gigabytes of traffic per second (which certainly seems like a lot) be enough? In this piece, we explore some of the biggest DDoS attacks to date and what you should look for in an anti-DDoS system.

How Big is the DDoS Threat?

When trying to understand how significant a threat is, it’s useful to look at case studies. In cybersecurity, looking at the “worst case” is always a good idea. While an attack may be record-setting one year, the rapid pace of technology improvements means that it may be commonplace the next year or even the next month. So, let’s look at the biggest DDoS attack that has occurred to date.

Github provides what is probably the most famous content management system in existence. It allows individual teams to save the complete history of a project, tag releases, compare different versions, and synchronize data across devices. Github also has the dubious honor of being the target of the largest DDoS attack detected to date. In 2018, Github was the target of a DDoS that broke records in two different ways. First, it was the attack with the largest throughput of traffic in history: 1.1 Terabytes per second. (Does that 100 GB/s appliance still seem like a good idea?) Second, it had the greatest number of packets per second at 500 million packets per second.

So which of these stats is more impressive? According to the headlines, you’d think that the 1.1 Terabytes per second throughput is what makes this attack so significant. However, according to Imperva, the DDoS protection firm that detected the attack, the number of packets per second is the big deal.

The reason that this is such a big deal is that computers can only manage a certain number of connections at a time. Even an attack with a relatively low throughput can exceed this threshold and cause a DoS attack. (But probably won’t make the headlines.) This type of attack has become increasingly common and is likely the type of threat that the average organization will face.

What to Look for in Anti-DDoS

When shopping for DDoS protection, it’s important to look for the right features and functionality. Understanding how DDoS attacks operate can be crucial to picking out the important bits from the noise. While many features may be useful, there are a few that are important to look out for.

Quick Response. The ability to quickly detect an attack and launch a response is an important feature for a DDoS appliance. Every second that your organization’s network is offline means lost customers. The longer that an attack continues, the greater the impact and cost to your organization. Picking a DDoS appliance with quick reaction times is always a good choice.

Connection Thresholds. As described above, the number of connections that are included in an attack can often be more important than the volume of data used. Even attacks with small volumes can take down systems if their connection limits are reached. If your DDoS protection appliance can’t handle the volume of unique connections present in an attack, the bottleneck moves from your system to the anti-DDoS system. When looking for a DDoS protection system, checking the maximum connection count that it can handle is an important step.

Throughput. While the volume of an attack may not be the most significant metric for measuring an attack, it certainly is worth considering when shopping for an anti-DDoS solution (and attempting to avoid making the headlines for the wrong reason). A DDoS protection appliance needs to be able to process all of the data involved in an attack, make a decision whether each packet is benign or malicious, and decide whether or not to forward it to the target webserver. The longer that it takes to accomplish this, the more latency experienced by the users. A good DDoS appliance requires scrubbing capabilities capable of handling both normal and attack-level traffic throughputs.

Protecting Yourself from DDoS

One of the unanticipated impacts of IoT and cloud technology is an increase in the number and volume of enterprise-level DDoS attacks. Deploying DDoS protections is an essential part of any organization’s cybersecurity strategy, and it’s important to choose the right solution. The response speed, number of potential connections, and maximum throughput are vital considerations when shopping for a potential DDoS protection solution.