This is best answered by the examples below…
For example, a customer signs up with us and has attacks up to 40k PPS or so. Very small, right? Likely, the customer is being attacked by an attacker which is running DDoS attacks as a business. As a business, that attacker is only using the resources required to impact you. Once protection brings the site up, the attacks normally increase. Sometimes the increase is only a few thousand PPS but we it could increase exponentially by manipulating the attack pattern or simply throwing more resources at you.
1) We hear horror stories of customers going to provider ‘x’ and the attack is being reported, for example, at 2Gbps.
2) That person changes providers because they don’t want to pay the upgrade, they are unhappy, etc.
3) They are setup with the new provider and now the impact is gone! *poof*
4) Customer raves how wonderful the new provider is and the provider states they are filtering the attack. (Yet they may only be seeing 5% of what was the overall prior)
5) All is well…. Month passes…. Now this provider is reporting 2Gbps and the their site is down because they purchased 1Gbps of protection. This worked last month! Why does it not work now!?
We have done trials for customers and continued to receive their attack for weeks after their domain was moved from our IP. I’m sure they found another provider who was cheaper and *appeared* to be doing everything they stated and we were simply trying to pull the covers over their eyes.
There are far too many variables in the mitigation market to simply provide a guaranteed outcome if the customer isn’t willing to:
1) Stick it out and let the mitigation do it’s job.For example:– A burst hits and the customer begins thinking the mitigation isn’t working! Yet, they are seeing less than 1% of what the burst is, however to them it’s the end of the world. The company isn’t doing their job so they change DNS instead of allowing a few minutes for things to settle and detection to accurately block the fresh attack or pattern change.
— The DNS change severely disrupts traffic flow and attack output or input to the mitigation provider. This, in turn, lowers the overall attack incoming but makes it unstable and now the profile for the attack has changed by 50% or more. Therefore, original thresholds in place to prevent the attack are no longer low enough to be hit because the attack just dropped 50% below the threshold.
— This requires the provider to either manually lower those thresholds to compensate for the drop or wait on the mitigation to do this automatically. Changes in this form, manual intervention, can cause severe disruptions in the efficiency of mitigation overall.
Now, DNS is just one factor and I used it as an example because it is the most typical. However, you have to trust the provider and believe in what they’re doing. If you cannot trust your provider and cannot allow them time to do their job then the purpose of mitigation is wasted. Any change or modification, caching, database changes, site layout, etc. Some of the simplest modifications can greatly increase efficiency or greatly reduce overall efficiency.