New research confirms effectiveness and importance


 Yet another distributed denial of service (DDoS) attack has been reported and this time was sustained for a full day. AWS’s mitigations not only absorbed the vast majority of attacks but also flagged legitimate customer queries. Mitigations also included tracking down the source to stop it. On average, for DDoS attacks specifically, it’s estimated that each hour of downtime can cost organizations between $20,000 and $40,000 per hour. Do the math.

It is timely that SDPs effectiveness in preventing DDoS attacks was affirmed by the Cloud Security Alliance (CSA) who today released new research on Anti-DDoS: Software-Defined Perimeter as a DDos Prevention Mechanism. Produced by CSA’s SDP Working Group, this paper sheds light on the use of a SDP as a tool to prevent DDoS attacks. It demonstrates the efficiency and effectiveness of a SDP against several well-known attacks including HTTP Flood, TCP SYN, and UDP Reflection. The paper describes how SDP allows legitimate customer traffic during a DDoS and can inform upstream routers of bad packets – enabling quicker attribution to the source.

Lab tests based upon Waverley Lab’s Open Source Software Defined Perimeter (SDP), analyzed the performance of two networks against DDoS attacks – one with a SDP and one without a SDP.

The test team led by professors, Ahmed Refaey of Manhattan College and Abdallah Shami of Western University, detailed findings and conclusions in a new paper titled, “Performance Analysis of SDP for Secure Internal Enterprises.” The experiment modeled the situation where cloud computing and connected devices are used to create new access that come under DDoS attacks.

To evaluate the performance of SDP, the team used two metrics to measure the network connectivity performance with and without it in the event of a DDoS attack to determine both access control and resiliency – Connection Setup Time and Network Throughput.

Table 1 shows a small difference in time to set up a connection with SDP, indicating that the impact of adding SDP as a security control is on average slightly under a second.

Because SDP drops bad packets, while allowing legitimate traffic, it is the most advanced mitigation for DDoS attacks. Table II shows orders of magnitude (factor of 1000) improvement in performance under a DDoS threat.

As business owners and IT leaders discuss access controls and network resilience to DDoS attacks, it is important to consider SDP as their most most advanced and proven solution for their Zero Trust arsenal. SDP can be used to integrate security controls to build highly-resilient network connectivity. Although SDP impacts connection set-up time, the tradeoff is that it can provide a level of resiliency to operate in spite of cyber threats such as DDoS attacks.  To read the detailed findings in the paper, click here to download it and try is for yourself or email to implement SDP.