Gartner Blog Network

What the DDoS vendors can learn from the banks

by Avivah Litan  |  April 4, 2013  |  9 Comments

I may be naive and uninformed (I’m not a network security analyst), but it occurs to me that the DDoS vendors need better modeling to distinguish good and bad traffic. It appears that they are rule based and can’t fend off DDoS attacks they haven’t seen or thought about already and therefore programmed a solution for.

The most appropriate technique here would appear to be to model good network and application access behavior so that aberrational behavior can be more easily spotted, rather than wait for identified ‘bad behavior’ to show up – especially when much of what we are seeing has not yet been identified.

The banks and the DDoS vendors should sharpen their tools so that they can more readily distinguish good from bad access behavior. I realize this is much easier said than done and the potential for false positives and for keeping good customers out is very high. Still some great modelers and analytical folks should be able to get the job done. Some banks are very good at behavioral modeling and surely have the expertise to make some of this happen.


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Thoughts on What the DDoS vendors can learn from the banks

  1. Very true. Website security vendors who will not implement behavioral modeling algorithms into their products will be left behind and rendered obsolete. For over 25 years now, the same old signature-based detection paradigm vastly rules the majority of the cyber security market. Quoth Darwin:
    “It is not the strongest of the species that survives, nor the most intelligent, but rather the one most adaptable to change.”

  2. Terry Mackenzie says:

    I work for one of the major banks (Terry’s not my real name obviously) and we use a DDoS scrubber.

    Honestly, these guys are so far behind in terms of what they are doing it is really hurting our business.

    We’ve accepted that DDoS has become a way of life, with the attackers becoming more creative in the way they attack our sites. DNS floods, attacks over SSL and at SSL (SSL re-negotiate), the list goes on.

    There is one cloud security vendor whose background is being the worlds largest CDN. Now there architecture and approach gives me hope that there is a solution there. Reality is one vendor doesn’t make a market but what they have with 100K+ servers on the internet just makes their scale unmatched when coupled with the behavioural modelling you talk about (which from what I understand they do).


  3. Avivah Litan says:

    Hybrid Security and Terry:

    Thanks for the insights and confirmations on this area. It’s always so beneficial to hear from folks like you to confirm and to collaborate. I’m interested in name of the cloud security vendor that has the interesting approach – if you want to email it to me at


  4. dingo8mybaby says:

    If only DDoS mitigation was as simple as distinguishing between good and bad traffic, it’s the ability to mask ‘bad traffic’ and blend it onto the normal traffic that makes filtering it out a challenge. Rule based filtering is entirely appropriate for simplistic bulk attacks but talking to any of the major mitigation companies you’ll soon learn that this is the first of their mitigation process steps.
    Yes you can extensively model behaviour, but that costs money and takes time and companies will not pay the expense of that class of service, additionally most are clueless about their network baselines.
    This service should come from network providers who obviously have extensive access to you network data, however the services offered by the T1 to T3 network vendors varies from non-existent/rudimentary to almost amateurish and all too often includes very basic measures like black holing.
    Some web enterprise tools have excellent risk management engines and yet for >90% of web service/web infrastructure components these features are absent or simply lacking, it’s this immaturity that that makes these services so totally vulnerable.

  5. Avivah Litan says:

    Thanks for the excellent observations. Makes a lot of sense.

  6. There are basically 2 ways to defend against DDOS Attacks. You have cloud Anti-DDOS providers and t on-premise DDOS providers.

    The Cloud Anti-DDOS solutions are great for the large scale attacks that Banks have been experiencing. They are great for network based attacks but more that 80% of the attacks are now application Layer (7) attacks and they are not stopping them.

    The on-premise device can block these type of application attacks. You really need a solution that will block this unwanted traffic before it hit your firewall The Drawback of an on-premise device is they can help if your internet pipe is full.

    We recommend that you have both solutions to stop the new cyber-attacks since each solution can complement the other.

  7. Protection in the Cloud ‐ Protection is enabled in tw telecom’s network and away from the customer’s network. To enable protection against an attack, tw telecom only requires
    customer verify that an attack is occurring. Once verified, tw telecom will do all the work to redirect customer’s traffic to the scrubbing platform to begin filtering out the attack, while
    legitimate traffic continues to flow. The process is seamless and transparent to customers.The existing DDoS Mitigation service only defends against a subset of DoS attacks, and does so using coarse action – that is by implementing ACLs (access control list) on the peering routers to block the attack traffic. A subset of DoS attacks can be mitigated based on this methodology. With some DoS attacks, DDoS Mitigation would have the unintended
    consequence of blocking good traffic along with the bad.
    DDoS Scrubbing fills in the gaps DDoS Mitigation has, and is able protect against all types of DoS attacks. The main difference in capability DDoS Scrubbing provides is that it inspects the
    customer’s network traffic and has full context of its behavior and can identify anomalies that are symptomatic of a DoS attack based on traffic deep inspection. Another significant difference is that it can defend against attacks that target the systems that support a
    customer’s web presence such as a web server.

  8. Jack Shasha says:

    In DDOS attacks there are large amounts of traffic, way beyond normal. There should be some pattern that can be identified and filtered. That is what we should be working on. I think the problem is that DDOS hits everybody and no one organization wants to take responsibility.

  9. As someone who mitigates attacks on a daily basis, I think what is lost on most people is that DDoS attacks are more sophisticated than one realizes. Sure anyone can easily block a Layer 3/4 bandwidth attack, but a complex Layer 7 attack is another beast in itself.

    Most behavioral models would let an attack through quite easily because that’s the point of it right? Emulate legitimate traffic. Even the most advanced program would take time to determine what is legitimate and what is not. It isn’t hard for an offender to take a snapshot of legitimate traffic and duplicate it. Because of that, there are a number of factors that have to be considered before blocking so that legitimate users aren’t caught in the crossfire.

    And while CDNs have more scalability all that means is that they absorb the attack and that’s not really fighting it.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.