Blog

Although customers of Internet service providers (ISPs) purchase communication channels with a precisely defined bandwidth, they are often not charged for the entire port capacity, but only for the bandwidth actually consumed. For ISP providers, this method is known as burstable billing. Moreover, this actually consumed bandwidth is usually taken into account not according to the highest of the indicators recorded during traffic measurements, but by subtracting 5% of the maximum - according to the largest of 95% of the remaining values. This method is called the 95th percentile.

Providers of Anti-DDoS services often offer to connect protection using the asymmetric scheme: only incoming traffic is filtered — the one that goes to the protected resources, and outgoing traffic is not considered at all. In a number of other situations, they use a symmetrical scheme when not only incoming, but also outgoing traffic or service information about it is analyzed.

Mistakes in the organization of protection against the risks associated with DDoS attacks almost always lead to a reduction in the resilience of their Internet resources to these risks, and it is impossible to compensate for them solely by connecting anti-DDoS services, even when they are most advanced. The situation is often aggravated by the fact that the combination of several flaws increases their overall negative impact. In this article, we will analyze some of these flaws we encountered while building protection against DDoS risks at a rather large client managing several hundred websites.

It often happens that customers of DDoS protection services believe that just by connecting to these services they are fully protected. Unfortunately, it is not quite right: DDoS protection is not magic or a superpower, and in order for it to work effectively, the services themselves must have sufficient immunity against DDoS risks.