DDoS protection is as good as your SLA, so ask these questions to your DDoS vendor

Many vendors make expansive marketing claims about mitigation capabilities, but when it comes to making contractual commitments to performance, the claims vaporize into thin air. It is fair to say that DDoS protection is only as good as your SLA.

For any organisation, service level agreement (SLA) is a crucial component of DDoS defenses. It is contractual guarantee outlining what DDoS mitigation provider will deliver and their obligation to remedy in case they do not meet those guarantees.

Many vendors make expansive marketing claims about mitigation capabilities, but when it comes to making contractual commitments to performance, the claims vaporize into thin air. It is fair to say that is only as good as your SLA.

One can use following six questions to evaluate how good their DDoS protection is. Each SLA metric has a specific technical benchmark and defined business purpose. Not having one or more of these KPIs in SLA document should cast doubt on vendor's confidence in their own service, and ultimately the vendors' ability to protect your organisation against DDoS attacks.


Ask these six questions to your DDoS mitigation provider

Ddos Protection Is As Good As Your Sla, So Ask These Questions To Your Ddos Vendor
Service Level Agreement (SLA) is a crucial component of DDoS defenses. (Photo: Agency)

How Soon Can You Detect Attacks?

The first step in stopping a DDoS attack is recognizing that an attack is taking place. Many vendors will make bold claims on mitigation time, but the question is mitigation from when?  The sooner an attack can be identified the sooner that attack can be mitigated. With a Time-to-Detect SLA, your DDoS mitigation vendor commits to how quickly they will detect an attack. Not including the Time-to-Detect leaves, you exposed to the possibility that a DDoS attack could be well under way before its noticed.

How Quickly Will You Let Me Know?

When something bad happens, you want to be the first to know about it. The Time to Alert SLA is crucial for ensuring that you're notified immediately if under attack. Failure to include this metric means that your mitigation provider does not commit to immediate notification of an attack, and puts the burden on you, your customers, or worse – your boss – to find out on their own.

How Swiftly Will You Divert?

For on-demand DDoS protection deployments, the time it takes the system to initiate diversion is a crucial step to quick mitigation. Any delay in diversion can result in needless downtime. The Time to Divert SLA commits to how fast your mitigation provider will initiate diversion once an attack has been detected. Not having this metric in your SLA likely means that the DDoS mitigation provider lacks the technology or processes to ensure fast diversion, leaving you exposed for longer periods.

How Fast Will You Stop The Attack?

Once an attack has been detected and diverted to a DDoS mitigation provider, the next question is how fast will it take to mitigate the attack The Time-to-Mitigate metric measures the speed with which DDoS mitigation vendors mitigate different types of attacks, based on attack characteristics.  Although most providers provide this commitment, there are still many that do not. This is a key metric, and unwillingness to commit to mitigation time should cast serious doubt on their ability to stop attacks.

How Do You Measure Quality of Protection?

Shakespeare said that “a rose, by any other name, would smell just as sweet.” Sadly, the same is not true when it comes to DDoS protection. Apart from the time it takes to mitigate an attack, a key consideration is the quality of mitigation. The Consistency of Mitigation metric provides a baseline to calculate the effectiveness of mitigation, and how much bad traffic is allowed through. A high-level mitigation threshold will only allow less than 5% of attack traffic to go through. Not including a Consistency of Mitigation commitment in your SLA effectively renders Time-to-Mitigate commitments meaningless because vendors can pass almost anything for ‘mitigation' and claim to meet mitigation SLAs.

Also ReadUnidentified traffic is a serious security concern, says Sophos

How Reliable is Your Service?

Finally, when under attack, you want to be sure that your mitigation service will be available to take over. The Service Availability metric defines uptime requirements for service, and how much downtime will be tolerated on an annual basis. A high-quality service will commit to at least 99.999% of uptime, which means only about 5 minutes of allowed downtime throughout the year.  If your SLA does not include a Service Reliability commitment, that should make you wonder whether it will be there in a time of need.

The author is Managing Director-India, SAARC & Middle East, . Views are personal.