A false positive in DDoS mitigation is something every DDoS protection provider has to pay close attention to, and it’s in your best interest to understand what this term means.
What happens during a false positive is a legitimate visitor triggers the protection system, and it responds as if your visitor was part of the DDoS attack. Quite simply, they are blocked from accessing your website. This is not good. Not only can you be potentially losing out on business, but you’ll undoubtedly have some support issues if your current customers are not able to reach your site.
Often times, false positives in DDOS mitigation occur during complex layer 7 attacks–these are the types of DDOS attacks that mimic real human behavior by targeting applications on your server. It’s for this reason that mitigating the attack becomes difficult. In order to provide protection to your website and not turn away visitors, you want to be very selective with choosing a DDOS mitigation company.
The Challenge for DDoS Mitigation
Distributed denial of service (DDoS) typically consist of a large volume of traffic which targets an application or server. Within these requests, there are still legitimate users attempting to access the site. One of the toughest challenges for DDOS mitigation providers is identifying which traffic is legitimate, and then using the proper strategy to stop the attack.
There are two outcomes that can lead to more trouble when mitigating a complex attack (when it comes to false positives/negatives):
- If a legitimate user is flagged as part of the attack, this is referred to as a false positive. If a real visitor is flagged they will be denied access to the site, and will usually see a timeout or warning screen.
- The opposite end of the spectrum is a false negative. This happens when malicious traffic is actually let through because it appears to be legitimate. The concern here is that this may open the door for a stronger cyber attack.
The challenge is distinguishing between the two.
How NOT To Stop False Positives In DDoS Mitigation
There are a few antiquated methods of stopping DDoS attacks that can prove quite ineffective at mitigating more complex attacks. One of those methods is Rate Limiting.
What is Rate Limiting and what should I be aware of?
Rate limiting is involves a static threshold that kicks in once attack traffic reaches a trigger. This can work well for some attacks, but mostly, this form or protection is slow to detect attacks and can lower the user experience for all site visitors. One drawback to this form of DDOS protection is that because it relies on a predefined threshold, any sharp increase in traffic can result in the system blocking visitors. Imagine if you have just kicked off a successful marketing campaign and your site traffic is going through the roof? What if you hit the front page of Reddit?
Obviously you want a more selective way of automating your DDOS protection and mitigation.
Behavior Analysis Is A Far Better Method To Combat DDOS
Behavior analysis has a fancy ring to it, but at its simplest form it is taking historic (baseline) data from your site and using that to compare burst of traffic that may be the result of a cyber attack. The system will analyze your traffic flow and flag any anomalies for further review, ususally passing it for verification to another trigger response or alerting a DDOS mitigation specialist to investigate the traffic patterns closer.
A very good example of why this is an effective method for combating complex DDOS attacks is outlined below:
Let’s say that your organization has prepared a white paper or download that is causing stirs in your industry and getting a lot of buzz. If you have a spike in downloads of this particular item, you can compare it to historical data to see if the rate of download is a result of higher traffic or a cyber attack.
For example, if you normally get 20 – 50 downloads per day of this particular offering–and it spikes to 1000, you may have a problem. In this case, your mitigation provider would usually have trained staff jump in and take a look for themselves to determine if your site is being attacked.