DDoS Resilience Score (DRS) Standard Why a DDoS Resiliency Score and How Can it be Used?

Plenty of knowledge, data and solutions are available today to help strategize and prepare IT networks against DDoS attacks. But despite the wealth of data, no measurement scale exists for evaluating and measuring attacks strengths and the ability to withstand them. For example, how many organizations can accurately evaluate or predict what type and volume of DDoS attack vectors can their system withstand?

The DDoS Resiliency Score (DRS) is a standard measuring and evaluating mitigation strategies in objective, quantitative terms. Using the DRS score, organizations can:

• Evaluate DDoS attack readiness. The DRS score

provides a specific, defined list of the types of

attacks that an organization can withstand prior to

an outage.

• Make better technology decisions. Using the DRS

score, technical teams can compare the

effectiveness of different DDoS technologies and

solution options by assigning each a score.

• Facilitate communication between management

and technical teams. A score of 4.7, for example, can

point out to management that mitigation

capabilities have improved since the previous score

of 3.5. At the same time, the score also encapsulates

a list of specific attack vectors that will and will not

be blocked, which the technical teams can analyze.

Understanding the DRS Scoring

Mechanism

The DRS scoring mechanism is based on seven

ascending levels of DDoS attacks. Each level

introduces additional types of attacks, more

sophisticated attack vectors, and a larger volumes of

traffic. Similarly, the requirements on the defending

side increase, with each level requiring shorter

mitigation response time and smaller latency.

Attack Vectors (delta) Attack Volume

Level

• SYN Flood • HTTP GET Flood

1 Mbps 10K PPS 1K TPS

1- Poking

• UDP Flood

10 Mbps 100K PPS 10K TPS

2- Script Kiddy

• ICMP Flood • TCP RST flood • HTTPS GET Slash Flood

M bps 1M PPS 25 K TPS

3- Basic

• TCP FIN Flood • NTP Reflective flood

• TCP SYN+ACK • CP PSH Flood

• TCP ACK flood • DNS Query Flood

1 Gbps 5 M PPS 50 K TPS

4-Sophisticated

• R.U.D.Y. (HTTP) • SSL Renegotiation • HTTP Flood Cookie support • DNS Recursive • Slowloris

10 Gbps 10M PPS 100K TPS

5- APT

• CHARGEN Reflective flood • HTTPS Flood Cookie support • HTTP Flood JavaScript support

• Tsunami SYN Flood

50 Gbps 5M PPS 250K TPS

6- Extreme

• HTTP Flood Headless browser • R.U.D.Y. (HTTPS) • HTTPS Flood Headless browser • HTTPS Flood JavaScript support

100 Gbps 100M PPS 1M TPS

7- State Sponsored

Seven Levels of Attacks - Which One Can Your Withstand?

The following table provides an overview of the key characteristics of each of the DDoS attack levels. For more details, please refer to the technical spec document.

Each of the attack levels, starting from 1 through 7, introduces increased demands in terms of:

• Traffic volume. DDoS Attack vector’s

volume is measured by bytes per seconds

(Mbps), Packets per second (PPS) and

transaction per second (TPS).

• Attack vector types. With each level,

additional attack levels are introduced in

addition to those used in the previous level.

In the following table, the ‘Attack Vectors’

column lists the delta - the attack vectors

added in each level.

• Attack sophistication. Attacks becomes

more advanced and forceful not only in their

sheer size or attack vectors, but also in the

inner properties of each attack. In each level

advanced properties are introduced that

characterize more effective attacks, such as

IP Address Spoofing, URL Randomization

and more.

• Mitigation requirements. An organization

that is able to fully mitigate an attack after

ten seconds is more resilient than one that

mitigates the same attack only after ten

minutes. Each level introduces a shorter

response time requirement, measured by

the maximum outage following attacks.

Another parameter measuring mitigation

resiliency is ‘Maximum latency,’ defined by

the extra roundtrip time for an average

packet to travel, compared to the normal

roundtrip time when not under attack.

Organizations should request all relevant stakeholders - vendor, consultants, and internal teams - to provide their recommendations using the DRS standard. This will enable evaluating and comparing DDoS inputs, as well as quantifying decisions and activities over time.

Security consultants can adopt the standard in order to provide better service to end customers by facilitating communications and calibrating expectations.

DDoS Pen Test Service providers that simulate DDoS attacks should follow the DRS standard as a way of guaranteeing that their penetration tests are done in accordance to an objective standard, which can be compared and re-evaluated at any time by other vendors.

Next Step: How Can You Use the DRS Score?

The DRS Score can be used in several ways, depending on your role: