Many companies that have protection against DDoS attacks believe that they are now invincible. In fact, that’s not entirely true, to say the least. Even if your protection really works after being connected and has successfully repelled several subsequent DDoS attacks, it is by no means a fact that it will also repel attacks that may occur today or tomorrow. And if you are really interested in reliably protecting your Internet resources from DDoS attacks, you should make sure that you perform systematic checks that will allow you to understand whether the protection you have chosen is working at the moment.
Stress tests of your Internet resources are an effective tool for such purposes. They allow you to learn a lot of new and interesting things about the level of their protection:
- What can happen to your Internet resource in case of a real attack,
- are the provider’s specialists ready to adjust their protection to the specifics of your resources and your requirements,
- how does the support of the anti-DDoS services you use work,
- what happens if the attack starts on Friday night or Sunday morning – will someone from the external provider help you,
- do you have access to the security settings and what can you do with them,
- what is the actual and not the stated capacity of the filtering system of your protection service,
and so on.
It is especially important to check DDoS protection if you do not purchase anti-DDoS services directly from your provider, but, for example, from its partner. The fact is that companies that do not specialize in providing security services sell access to the web interface of some solutions without really understanding how these solutions work. This is the reason for almost all the possible problems that can occur when it comes to protection.
However, there is nothing wrong with an Internet provider reselling its partner’s protection services. But it is important to understand in what quality and to what extent you will be supported in case of an attack: Do you have a direct connection to the anti-DDoS service provider and its support service, does the direct seller of anti-DDoS services have its own DDoS protection specialists, etc. It often happens that the protection is offered only on paper, but in reality it either does not work at all or turns out to be ineffective.
The recommendation in this case is simple: first of all, as a customer of anti-DDoS services yourself, you need to clearly understand what and how you are protecting yourself. To do this, you need to:
- Create a list of resources that need to be protected: Websites, web applications, servers, IP addresses and services associated with them, networks, etc.
- Understand what exactly is on these resources or what works on their basis.
- Determine what kind of protection is needed to protect these resources from DDoS attacks:
- Is it enough to filter packets at the L3 and L4 levels, or is traffic analysis required at the web application (L7) level,
- to evaluate which resources can be protected by exposing the SSL private keys and which cannot. In particular, it is not possible to disclose the keys of applications that enable the exchange of confidential (including personal) data, e.g. banking, processing and other applications for which it is necessary to comply with the requirements of the payment system standard PCI DSS.
By creating a list of resources and protection requirements, you can greatly simplify both stress testing and interaction with an anti-DDoS service provider and its partner.