With the news that SOCA in the UK have had their web site knocked offline (again) as a result of a DDoS attack of unconfirmed origin, I wanted to publish the full text of my comments to the BBC as regards this nonsensical and pointless form of attack.
Ultimately DDoS is defeated by bandwidth, you need to have more than your attacker and this can be accomplished in a number of ways. You can buy bigger pipes and build bigger server farms locally, and you can try to block incoming requests based on geography if appropriate but this is not always cost effective or scalable, preferable is to use the power of the cloud.
The cloud can help in a number of ways, either through the services of a content delivery network such as Akamai as your front end, relying on their infrastructure to absorb much of the attack volume, or you can take advantage of cloud based hosting with some of the bigger providers, like Google, Amazon, IBM, Rackspace etc. again hiding behind someone else’s big bandwidth, but of course there is an associated cost to this as well.
In reality, it all comes down to risk management. It may simply not be cost effective for you to spend on combating DDoS, if the impact on your business or your customers (or the public in the case of government websites) does not justify the expense of the solution. You must understand your business and your customers, evaluate the financial impact of such an event and plan your security budget accordingly.
In the case of SOCA, their website being unavailable for a period of time has no impact on their ability to do business and very little impact on the public at large. Is it worth the expense of large-scale DDoS mitigation technologies? Probably not. Does it harm the SOCA brand to be see to do nothing, or very little, to stop these attacks from happening? Again, probably not, SOCA are treating the attacks with the contempt they deserve.
The sensible person doesn’t walk around in a bee-keeper’s outfit to keep the wasps away from their ice-cream in summer. The sensible person accepts that wasps are attracted to ice-cream and that wasps will always outnumber ice-creams. Unless there is an overriding need to protect yourself from wasp stings, if the wasps impact your ability to breathe for example, you simply ignore them (or run around screaming). Both options are open, but treating them as the minor annoyance that they really are is probably the wisest.