Note when using Anti DDoS solutions from ISPs

Latest Update: 20/10/2023

Note when using Anti DDoS solutions from ISPs

Do many people think relying on an Internet service provider (ISP) to help you fight DDoS effectively? This is like going to a famous seafood restaurant to enjoy… beef. Sounds very strange right? This article will share the complexity and volume of DDoS attacks. And explain why businesses should consider using ISP’s Anti DDoS solution.

Why do ISPs also have Anti-DDoS solutions?

Naturally, ISPs have good reason to offer DDoS Protection to customers. When there are achievements in limiting DDoS attacks, the security service of ISPs will be known to many people. This helps them boost sales and raise service fees. ISPs will then use their extra earnings to invest in better anti-DDoS solutions. This process is called the self-reinforcing cycle.

The above self-reinforcing cycle is just a simplified version of how things should work out. In practice, there is often a huge difference. It is difficult for ISPs to provide the best security solution for users. As mentioned above, anti-DDoS services help increase revenue for ISPs, but network security is not their core expertise.

Are DDoS attacks all the same?

What if every hacker in the world uses only one type of DDoS attack? At this point, everything is easy to deal with. We only need an Anti-DDoS solution to protect users. But there are actually many different approaches, types, and engines of denial of service attacks. So there will also be many different DDoS Protection solutions.

So what is the difference between an ISP-based solution and a cloud-based anti-DDoS firewall? Compare a simple home burglar alarm with a professional security system that calls 911 as soon as an intruder is detected. That’s the simplest way to imagine it. That’s right, a cloud-based DDoS Protection solution that protects users from the biggest and most sophisticated cyberattacks. And ISPs themselves are also easy targets for attacks they consider to be resistant.

Is ISP’s Anti DDoS solution really effective?

It is not usually possible for ISP providers to build a filter for a client’s web/app application. Therefore, their security solutions may not distinguish between normal HTTP and secure HTTP, data transfer rate, and behavior on APP.

In addition, without a proxy-based WAF solution, users will be blocked during anti-DDoS.

Currently, many organizations are strict in applying security solutions. Especially, Protection Distributed Denial Of Service cannot distinguish the above protocols. For those organizations, Cloud-based WAF is an appropriate choice.

Does the ISP have a dedicated DDoS Protection solution?

Organizations can suffer unexpected losses due to ISPs’ incompetence against large DDoS attacks. Even if the ISP’s solution is robust enough to prevent downtime, latency still becomes an issue. This is because most of the ISP’s infrastructure must be used to resist attacks in real-time. Resources to defend against attacks cannot simultaneously serve legitimate users. Therefore, they are forced to change.

Large-scale DDoS attack will overwhelm ISP’s On-Premise DDoS Protection

The ISP’s Protection Distributed Denial Of Service monitors and analyzes the traffic. As a result, it will detect signs of DDoS activity of hackers. This solution is implemented at a single link connecting the victim and their ISP. However, this method is only suitable for preventing small and medium-sized attacks. For more complex attacks, a single-point approach like the one above creates a bottleneck. Hackers will bypass the memory and processing capacity of the DDoS Protection solution.

Most ISPs cannot evenly distribute attacks to their data center stations. This will make it difficult to resist large attacks. As the complexity and number of DDoS increases, single On-Premise anti-DDoS firewalls will no longer be effective.

Do ISPs Prioritize DDoS Protection or Latency?

ISPs don’t want to increase latency but they are forced to check SSL to combat SSL DDoS attacks. This creates another trade-off situation. If SSL is checked, website latency increases, resulting in a poor user experience.

Maintaining an SSL proxy for encryption increases latency. Most On-Premise devices try to reduce latency by only responding to SSL when actively attacked. This ensures compromises, risks redundancy costs, and can create additional compliance issues for organizations.

ISP’s “Blackholing” traffic solution has blocked legitimate users

One of the other Anti-DoS methods is traffic routing. Traffic routing will distribute traffic to the server, avoiding exceeding the uplink capacity. However, the biggest limitation of the “blackholing” method is that it does not distinguish the type of traffic. Therefore, the “Blackholing” method blocks even legitimate users during anti-DDoS. The sole purpose of the attackers is to block legitimate users. Thus, inadvertently ISP providers did it on behalf of the attackers.

Many ISPs use this as a DDoS Protection solution because they don’t have the infrastructure to provide a dedicated security approach.

Rate Limiting also limits ISPs’ Anti DDoS capabilities

Have you ever sent an incorrect request to a website? What happens? You will most likely get a “404 error: page not found” message. This error message is sent from the webserver. Now imagine sending 1 billion such incorrect requests to a website. Of course, these requests are completely valid, without any malicious payload. So WAF will not activate any protection rules. As a result, the web server may crash because it has to process and send 4xx messages for too many incorrect requests.

Because of the lack of rate limiting functionality for HTTP/HTTPS requests, ISPs cannot prevent this type of attack. Those who can give rate-limiting often do so based on IP. So, if traffic hits a certain threshold, both legitimate and illegal traffic is rejected.

ISPs that do not support DNS protection are vulnerable to DDoS attacks

DNS amplification (a type of DNS mapping) was used on Curbs and Dyn. DNS is seen as a vulnerability of Internet services. Removing DNS means removing all the services that depend on it. Also, since DNS is based on UDP, it can be spoofed. Just a moderate amount of resources can create a connectionless protocol attack. And it can amplify attack traffic from 1Mbps up to 100Mbps. ISP providers usually cannot replace your nameserver. Therefore, the DNS server will be very vulnerable to attack.

Choose the right anti-DDoS method for your business

With the above analysis, the article has shared with readers the limitations of anti-DDoS services of Internet service providers. In essence, ISPs are network service providers. They only specialize in providing global networking solutions for units, organizations, or individual users. So their DDoS Protection is only effective under limited conditions. If you want optimal website protection, consider the solutions of professional network security providers.

VNETWORK is known as a reputable and quality network security and rescue center. To learn more about an effective Anti-DDoS solution, learn more about VNIS. WAF VNIS solution with AI and machine learning technology protects websites from Top 10 OWASP vulnerabilities.

Sitemap HTML