I guess I shouldn’t be surprised by highly biased marketing campaigns providing bad advice to customers. Normally I let it go (yes, Zen Mike is usually in the house), but not today. I saw Prolexic’s Why a Multi-Layered Security Strategy is Not Ideal for DDoS Mitigation campaign and was a bit perplexed, especially by one statement:
The typical IT advice of using multiple tiers of security to build the best defense for protecting networks does not apply to distributed denial of service (DDoS) mitigation.
Wrong. As I described in our Defending Against Denial of Service Attacks paper (and the subsequent AppDoS series), attackers use multiple tactics to impact the availability of your applications. So you need to think about how you will deal with volumetric and application-layer attacks.
I read Prolexic’s white paper, and I will never get that 15 minutes back. But their main point is that coordinating among many vendors and/or service providers is challenging. So you should use one provider who can do it all. They are correct that it’s hard to coordinate multiple controls across multiple vendors. But isn’t that what security folks do? Oh, you want an Easy Button for security? Good luck with that.
Here’s what Prolexic didn’t mention in their paper. They didn’t say that in order to get protection from both network and application-layer attacks, you need to route all your traffic through their network. All of it. All the time. If you wait until you are being blasted or your applications fall down, it’s too late. They don’t mention that increased cost. Of course not – it would make their pitch much less attractive.
I am the first to push for simplicity rather than complexity. But the trade-offs need to be disclosed. In this case it is the cost of paying for all your bandwidth going through a service provider. Anyhow, I said my piece. Now I’ll let it go…
Photo credit: “cute but wrong” originally uploaded by Gerard Stolk
Reader interactions
One Reply to “Multi-layer DoS Defense FTW”
This paper actually shocked me: PLX people are usually smart and well informed, but this paper is sheer idiocy. DDoS defenses needs *MORE* multi-tool/multi-vendor approach that much of the rest of infosec.