Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
DDoS Resilience Score (DRS) Standard Why a DDoS Resiliency Score and How Can it be Used?
Plenty of knowledge, data and solutions are available today to help strategize and prepare IT networks against DDoS attacks. But despite the wealth of data, no measurement scale exists for evaluating and measuring attacks strengths and the ability to withstand them. For example, how many organizations can accurately evaluate or predict what type and volume of DDoS attack vectors can their system withstand?
The DDoS Resiliency Score (DRS) is a standard measuring and evaluating mitigation strategies in objective, quantitative terms. Using the DRS score, organizations can:
• Evaluate DDoS attack readiness. The DRS score
provides a specific, defined list of the types of
attacks that an organization can withstand prior to
an outage.
• Make better technology decisions. Using the DRS
score, technical teams can compare the
effectiveness of different DDoS technologies and
solution options by assigning each a score.
• Facilitate communication between management
and technical teams. A score of 4.7, for example, can
point out to management that mitigation
capabilities have improved since the previous score
of 3.5. At the same time, the score also encapsulates
a list of specific attack vectors that will and will not
be blocked, which the technical teams can analyze.
Understanding the DRS Scoring
Mechanism
The DRS scoring mechanism is based on seven
ascending levels of DDoS attacks. Each level
introduces additional types of attacks, more
sophisticated attack vectors, and a larger volumes of
traffic. Similarly, the requirements on the defending
side increase, with each level requiring shorter
mitigation response time and smaller latency.
Attack Vectors (delta) Attack Volume
Level
• SYN Flood • HTTP GET Flood
1 Mbps 10K PPS 1K TPS
1- Poking
• UDP Flood
10 Mbps 100K PPS 10K TPS
2- Script Kiddy
• ICMP Flood • TCP RST flood • HTTPS GET Slash Flood
M bps 1M PPS 25 K TPS
3- Basic
• TCP FIN Flood • NTP Reflective flood
• TCP SYN+ACK • CP PSH Flood
• TCP ACK flood • DNS Query Flood
1 Gbps 5 M PPS 50 K TPS
4-Sophisticated
• R.U.D.Y. (HTTP) • SSL Renegotiation • HTTP Flood Cookie support • DNS Recursive • Slowloris
10 Gbps 10M PPS 100K TPS
5- APT
• CHARGEN Reflective flood • HTTPS Flood Cookie support • HTTP Flood JavaScript support
• Tsunami SYN Flood
50 Gbps 5M PPS 250K TPS
6- Extreme
• HTTP Flood Headless browser • R.U.D.Y. (HTTPS) • HTTPS Flood Headless browser • HTTPS Flood JavaScript support
100 Gbps 100M PPS 1M TPS
7- State Sponsored
Seven Levels of Attacks - Which One Can Your Withstand?
The following table provides an overview of the key characteristics of each of the DDoS attack levels. For more details, please refer to the technical spec document.
Each of the attack levels, starting from 1 through 7, introduces increased demands in terms of:
• Traffic volume. DDoS Attack vector’s
volume is measured by bytes per seconds
(Mbps), Packets per second (PPS) and
transaction per second (TPS).
• Attack vector types. With each level,
additional attack levels are introduced in
addition to those used in the previous level.
In the following table, the ‘Attack Vectors’
column lists the delta - the attack vectors
added in each level.
• Attack sophistication. Attacks becomes
more advanced and forceful not only in their
sheer size or attack vectors, but also in the
inner properties of each attack. In each level
advanced properties are introduced that
characterize more effective attacks, such as
IP Address Spoofing, URL Randomization
and more.
• Mitigation requirements. An organization
that is able to fully mitigate an attack after
ten seconds is more resilient than one that
mitigates the same attack only after ten
minutes. Each level introduces a shorter
response time requirement, measured by
the maximum outage following attacks.
Another parameter measuring mitigation
resiliency is ‘Maximum latency,’ defined by
the extra roundtrip time for an average
packet to travel, compared to the normal
roundtrip time when not under attack.
Organizations should request all relevant stakeholders - vendor, consultants, and internal teams - to provide their recommendations using the DRS standard. This will enable evaluating and comparing DDoS inputs, as well as quantifying decisions and activities over time.
Security consultants can adopt the standard in order to provide better service to end customers by facilitating communications and calibrating expectations.
DDoS Pen Test Service providers that simulate DDoS attacks should follow the DRS standard as a way of guaranteeing that their penetration tests are done in accordance to an objective standard, which can be compared and re-evaluated at any time by other vendors.
Next Step: How Can You Use the DRS Score?
The DRS Score can be used in several ways, depending on your role: