On Tue, 14 May 2002, Pete Kruckenberg wrote:
Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day?
The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis.
I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage.
I disagree. If many of your customers have flat-rate as opposed to burstable connectivity, such as a full point-to-point T1 or a dedicated 10 meg switch port to host a colo box, the revenue you derive from those customers doesn't change regardless of how much/how little traffic your network carries for them. If your customers have burstable connectivity, their bill only goes up if you have mechanisms in place to do those calculations - I'll hazard a guess that many providers don't. I would argue that in many cases a service provider loses revenue due to DoS traffic - network performance/availability can be impacted as your network absorbs a DoS attack and your NOC/network engineers/security people have to spend cycles analyzing (calling vendors, upstreams, etc) and dampening the attack. Both of these impact windows have costs associated with them. I haven't done any formal ROI calculations on Arbor or any of the other DoS defense products out there. However, from my viewpoint, I'd be willing to bet that if/once my NOC/network engineers/security people are properly trained on how to handle a DoS attack, anything that allows me to shrink those impact windows, e.g. reduce my costs related with dealing with an attack, is a good thing.
So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses?
That depends on how those products are priced, how well they're marketed, and of course, how effective they are in helping to stop DoS attacks. jms