Why Free or Cheaper DDoS Protection Will Cost You Billions Later

 

The promises are enticing and therefore the price is unbeatable; in any case – who can beat the worth of ‘free’? 

 

As service accessibility becomes more and more of a customer concern, it's become common for internet service providers (ISPs), content distribution networks and public cloud providers to supply ‘DDoS protection service’ for free of charge, as a part of their service bundle. 

 

What those service providers don’t tell their customers, however, is that this free protection can find yourself being the foremost expensive, do you have to come under fire. 

 

DDoS attacks most of the times end in loss of availability, loss of consumers, abandoned shopping carts and loss of reputation, therefore the upfront savings in protection can cause much larger costs down the road. 

 

Free or less expensive or cheaper DDoS protection service is usually offered by connectivity and computing providers, who bundle it in conjunction with their infrastructure services. This typically includes Internet Service Providers, Content Delivery Network, and public cloud infrastructure-as-a-service (IaaS) providers. 

 

Inferior Protection 

 

There is no way around it: once you buy something for free of charge, you always get what you buy. 

 

The main concern of infrastructure service providers is selling their core computing services like internet connectivity, content distribution, or cloud computing. From their point of view, DDoS protection may be a drawing card to enable higher sales. Consequently, they often provide only the only, most elementary protections which cost them the smallest amount. 

 

Higher levels of protection, on the opposite hand, require high costs. 

 

As per consequence, free or cheaper DDoS mitigation service tiers usually don't provide protection against advanced DDoS attacks like burst attacks, dynamic IP attacks, multi-vector attacks, IoT botnet attacks (such as Mirai), DNS attacks, SSL attacks or other zero-day vulnerabilities or DDoS attacks. This results in inferior protection, and leaves customers exposed should they face a classy attacker. 

 

Limited Coverage 

 

Another key problem with ‘free’ DDoS protection services, aside from the extent of security, is that the limited coverage they provide. 

Frequently, such services are limited to elementary network-layer (L3/4) DDoS attacks. However, they typically don't protect against application-layer (L7) DDoS attacks which target the applications themselves, like HTTP/S DDoS floods attacks, low-and-slow attacks, and so on. 

 

Application-layer DDoS Mitigation Solution, to the extent they're offered within the least, will frequently require separate add-on costs (or the acquisition of a WAF security service), and are usually limited to simple rate-limiting of incoming HTTP/S connections. 

 

Besides the point, because the service providers’ main interest is to sell more of their other services, their DDoS protections are getting to be limited to coverage of their services only.

 

For customers who use multiple providers (such as multiple CDNs, ISP, or public clouds), this may cause varying levels of protection for various assets, inconsistent security policies, and fragmented management & reporting. 

 

No Service Commitments 

 

Your DDoS protection service is merely nearly as good because the service guarantees your provider is willing to plan to. Such service commitments are usually documented within the Service Level Agreement (SLA) related to the service. 

 

This is why most free or least expensive DDoS protection either provide no SLA within the littlest amount, or provide ‘best effort’ Service level agreement. Frequently such Service level agreements won't include any commitment to attack detection times, mitigation times, or quality of mitigation (I.e., measuring the ratio between good and bad traffic that's being allowed through). 

 

An enterprise-grade 

 

SLA should include service commitments which aren't only specific, but measurable (i.e., that there's a transparent, understandable manner to live to them), and also explain what are the service remedies just in case these SLAs are breached. 

 

Exclusive of to the point and measurable metrics for detection, mitigation, and response within the SLA of a DDoS protection service should raise alarm on the actual quality of security it provides. 

 

Lack of Security Expertise 

 

Finally, as ‘free’ DDoS protection vendors are usually not dedicated security providers, they often lack the expertise and know-how to effectively affect cyberattacks. 

 

Even though such service providers could be experts in them respective fields (such as internet connectivity, content delivery or cloud computing), security is usually a side-business for them. DDoS attacks, however, are a selected category of cyberattack, with distinct characteristics, customer impact and methods of mitigation. 

 

In consequence, such vendors are frequently not up-to-date with the foremost recent attacks, trends or tools, and don’t have rich experience in handling an honest quite DDoS attacks.