When you are searching for a new DDoS protection service, it will be hard to find the best solution that will apply to your personal requirements. 15 basic questions to select the best DDoS protection supplier.
This is a BLOG post from and about our datacenter partner (Serverius) their DDoS protection, which is connected with our network as well. We can offer you these features.
When you are searching for a new DDoS protection service, it will be hard to find the best solution that will apply to your personal requirements. As a system administrator you have quite a bit of knowledge about IP security, but in this jungle of DDoS Protection suppliers with different functionality and pricing which are all saying “we are the best” it’s very hard to decide which solution suits you the best.
Your IP infrastructure is not that complex but definitely not default. You have a few questions of your own, but what else can you ask the suppliers to find out the best suitable service for you? To help you a little bit, we will provide you with some basic questions to ask your possible future DDoS protection supplier:
What’s your definition of DDoS protection?
The definition of DDoS protection is totally different per provider. Of course that’s logical because every product is different, but the main question is; will it apply to your needs? Will the offered service protect you? Some providers will tell you they only block some UDP traffic, others will tell you they only use some IP reputation database on their switches and routers, others will say things like automatic ACL’s and Flowspec are also DDoS protection and some will tell you they use all of them like a dynamic wave in the ocean.
The next question to ask is what principles do they use: do you need to create a safe environment for your IP usage upfront or can this be done afterwards? Explain your needs and ask them clearly what they think is best for you!
Which DDoS protection levels are you providing?
The world of DDoS is changing day by day. Therefore you need Layer 3, 4 and 7 as a base. Almost all provides will offer these levels. Don’t accept a short explanation like “we offer Layer 3 and 4 volume protection”. You need to look a bit closer to see how the levels are technically provided. For example, if it’s only some general volume TCP SYN flood blocking or do they offer real advanced TCP SYN/ACK/FIN/RST Defense with TCP three-way handshake checking technologies that is based on your current IP data traffic usage?
Does your service offer more functionality like firewalling, botnet blocking or others?
Do more with less. That’s what this is all about these days. Many features like uploading your own IP blacklist, using attack/spam blacklists, fast firewalling, botnet/SQL filtering and so on can be used for other purposes and will prevent future attacks. In most cases it will alleviate your own infrastructure from a lot of dirty data traffic. So when you pay for a DDoS protection service anyway, it’s smart to look closely to it.
Is the protection service offered with your own infrastructure or are you using some other service for it.
A lot of cloud scrubbing companies are reselling services from others like their own. This is not a bad thing, but you should look if it will work in your situation. As long as they have good control about the IP configuration and they are not entirely depending on some external support desk it will be no problem. It will even save you some costs. But keep in mind that with DDoS protection you need good human support and insight attack information. Otherwise it will certainly give you problems when you are under a DDoS attack.
Please explain roughly how your DDoS protection is technically working.
It is important to know how the service is technically provided. You might not have all the technical knowledge to judge if something is a good or bad, but everyone will understand that a whole infrastructure protection system will provide much better protection then only one “magic DDoS scrubbing box” that is cut in pieces and sold to you and many other clients. Do not let them fool you by telling you “this is a secret, we never provide this information” because any good supplier should be able to show you his basic building blocks.
Do you charge incoming dirty data traffic?
Still some old providers are billing you the amount of dirty incoming data traffic (afterwards). Some will do it in Mbps and others are using TB’s and it will give you a heart attack afterwards. Be aware that this way of working is really from the past…
Can I use the DDoS protection in in-line mode?
The best DDoS protection is only possible when you using the service at all times. The service knows your data traffic and knows what normal data traffic looks like and what doesn’t. I will result in way much less false positives. Another advantage is that when a DDoS attack starts, it will give you less hiccup’s because data traffic does not need to be re-routed during a DDoS attack. Unfortunately an inline mode is not technically possible for every IP network. Therefore ask advice what they think is the best way for you.
Can I control everything myself? If so, what features do you offer?
All professional suppliers will offer some kind of web portal. But what features or parts can you manage yourself? Is it only some collection of data traffic graphs or does it give you full IP control of your own protection environment?
What are the total costs to protect my IP infrastructure?
In the world of DDoS protection there are many types of services. All services look very nice, but do they really apply to your requirements? Are there any hidden costs? What is the risk of needing to upgrade to larger packages? What is the contract length?
Do I get detailed automatic notifications by email and SMS?
When you are under a DDoS attack you need to be informed automatically. Not by some human support desk. Ask them to show you some email examples. Normally notification SMS or email will contain some basic information about the attacked subnet, what kind of attack, the amount of data traffic, used protocols and so on.
What is the total incoming data traffic capacity?
Without the extraordinary attacks you probably have seen in the news, the average attack is still under 200Gbps. Therefore a good DDoS protection service will need at least the double amount of scrubbing capacity to offer you a decent service. The larger companies will offer up to 1Tbps/250Mpps. Unfortunately many suppliers will only communicate the total amount of network Gbps and not the total scrubbing capacity. In most cases it will be much less. Therefore ask for a clear explanation with proof of carriers, scrubbing capacity or other techniques to offer the capacity.
Do you offer support and training? If so, how much will it cost me?
Is the support free of charge, how is it provided, what’s the guaranteed response time, can you speak with the support engineers upfront, do you get some upfront training to use the service, can you call 24×7? Ask all questions related to your own knowledge and technical infrastructure.
Is there a limit of IP subnets to protect?
Be aware that still some providers use the trick of limiting the amount of IP subnets. Also ask them if you are able to specify which IP subnets needs to be protected and which not (and if you can do this yourself). In most cases you should be able to add and remove IP subnets yourself. From a single IP that is part of a larger subnet up to a full /18 subnet.
Do you guarantee 100% uptime without false positives?
You will need the service because you need more uptime. So what’s the guarantee? Is there some SLA? What are the result of the supplier from the past?
Am I entitled to perform some DDoS test upfront?
If you have the skills and knowledge to do so, you should ask for a test environment what is based on your situation. Test with more protocols than with just a http(s) website. Just ask them to setup the same IP application as you would want to protect it, because DNS protection will be completely different then protecting your own written TCP application.
Of course there will be many more things to ask, but normally after asking these default questions the best provider will automatically pop up. When it is still unclear who you should choose, you should ask an independent specialist to tell what’s the best solution for you. This specialist should be really independent without any relation or connection to the suppliers for them to judge the services.