The promises are enticing and the price is unbeatable; after
all – who can beat the price of ‘free’ ?
As service availability becomes more and more of a customer concern, it has become common for internet service providers (ISPs), content distribution networks (CDNs) and public cloud providers to offer ‘DDoS protection’ for free, as part of their service bundle.
What those service providers don’t tell their customers,
however, is that this free protection can end up being the most expensive, should
you come under attack.
DDoS attacks frequently result in loss of availability, loss of customers, abandoned shopping carts and loss of reputation, so the upfront savings in protection can lead to much larger costs down the road.
Free (or low cost) DDoS protection is frequently offered by connectivity and computing providers, who bundle it together with their infrastructure services. This typically includes ISPs, CDNs, and public cloud infrastructure-as-a-service (IaaS) providers.
However, there are several key areas in which ‘free’ DDoS protection frequently falls short of dedicated security services.
There is no way around it: when you buy something for free
(or very cheap), you usually get what you pay for.
The main concern of infrastructure service providers is
selling their core computing services such as internet connectivity, content
distribution, or cloud computing. From their point of view, DDoS protection is
a loss leader to enable higher sales. Consequently, they frequently provide
only the simplest, most basic protections which cost them the least.
For example, one large public cloud provider has no qualms about declaring that their free tier provides protection only against the ‘most common, frequently occurring network and transport layer DDoS attacks’. Higher levels of protection, on the other hand, require high costs.
As a result, free DDoS protection tiers usually do not provide protection against advanced DDoS attacks such as burst attacks, dynamic IP attacks, multi-vector attacks, IoT botnet attacks (such as Mirai), DNS attacks, SSL attacks or other zero-day DDoS attacks. This leads to inferior protection, and leaves customers exposed should they face a sophisticated attacker.
Another key problem with ‘free’ DDoS protection services,
apart from the level of security, is the limited coverage they offer.
Frequently, such services are limited to rudimentary
network-layer (L3/4) DDoS attacks. However, they usually do not protect against
(L7) DDoS attacks which target the applications themselves, such as HTTP/S DDoS floods,
DNS attacks, low-and-slow attacks, and so on.
Application-layer DDoS protections, to the extent they are
offered at all, will frequently require separate add-on costs (or the purchase
of a WAF service), and are usually limited to simple
rate-limiting of incoming HTTP/S connections.
Moreover, as the service providers’ main interest is to sell more of their other services, their DDoS protections will be limited to coverage of their services only. For customers who use multiple providers (such as multiple CDNs, ISP, or public clouds), this will lead to varying levels of protection for different assets, inconsistent security policies, and fragmented management & reporting.
No Service Commitments
Another way in which free DDoS protection services save
money – and compromise security – is in the service commitments they provide to
Your DDoS protection service is only as good as the service guarantees
your provider is willing to commit to. Such service commitments are usually
documented in the Service Level Agreement (SLA) associated with the service.
This is why most free (or low cost) DDoS protection either
provide no SLA at all, or provide ‘best effort’ SLA. Frequently such SLAs will
not include any commitment to attack detection times, mitigation times, or
quality of mitigation (i.e., measuring the ratio between good and bad traffic
that is being allowed through).
This means that if the service provider doesn’t live up to
their marketing promises, there really isn’t anything that the customer can do
about it, and no remedy to their problem.
SLA should include service commitments which are not only specific, but
measurable (i.e., that there is a clear, understandable manner to measure to
them), and also explain what are the service remedies in case these SLAs are
Not including specific and measurable metrics for detection, mitigation, and response in the SLA of a DDoS protection service should raise alarm as to the actual quality of security it provides.
Lack of Security Expertise
Finally, as ‘free’ DDoS protection vendors are usually not
dedicated security providers, they frequently lack the expertise and know-how
to effectively deal with cyberattacks.
Although such service providers might be experts in their
respective fields (such as internet connectivity, content delivery or cloud
computing), security is frequently a side-business for them. DDoS attacks,
however, are a specific category of cyberattack, with distinct characteristics,
customer impact and methods of mitigation.
Consequently, such vendors are frequently not up-to-date
with the latest attacks, trends or tools, and don’t have rich experience in
dealing with a wide variety of DDoS attacks.
From a customer point of view, this means that free DDoS protection services will not be able to handle attacks as quickly or as efficiently as needed, and may not know how to effectively deal with complex attacks, leaving customers exposed for longer.
The Price is Promising, But…
Ultimately, when you buy something for free, you usually get
what you pay for. DDoS attacks are a unique type of cyberattack, and protection
against DDoS attacks is a dedicated
discipline within cybersecurity. Although many vendors promise ‘free’ DDoS
protection, this type of service is usually a side-business for them, and an
add-on for their main product line.
As a result, this type of ‘free’ protection comes at the
cost of inferior protection, limited coverage, basic service commitments, and
limited security expertise, which may end up being far more expensive down the