6 Must-Have Metrics in Your DDoS Defense SLA

Your Service Level Agreement (SLA) is a crucial component of DDoS defenses. It is your contractual guarantee outlining what your DDoS mitigation provider will deliver and their obligation to remedy in case they do not meet those guarantees.

Many vendors make expansive marketing claims about mitigation capabilities, but when it comes to making contractual commitments to l performance, the claims vaporize into thin air. It is fair to say that your DDoS protection is only as good as your SLA.

Use these six questions to evaluate how good your DDoS protection is. Each SLA metric has a specific technical benchmark and defined business purpose. Not having one (or more) of these KPIs in your SLA document should cast doubt on your vendor’s confidence in their own service, and ultimately the vendors’ ability to protect your organization against DDoS attacks.

Ask these six questions of your DDoS mitigation provider:

How Soon Can You Detect Attacks?

The first step in stopping a DDoS attack is recognizing that an attack is taking place. Many vendors will make bold claims on mitigation time, but the question is mitigation from when? The sooner an attack can be identified the sooner that attack can be migitated. With a Time-to-Detect SLA, your DDoS mitigation vendor commits to how quickly they will detect an attack. Not including the Time-to-Detect leaves you exposed to the possibility that a DDoS attack could be well under way before its noticed.

How Quickly Will You Let Me Know?

When something bad happens, you want to be the first to know about it. The Time to Alert SLA is crucial for ensuring that you’re notified immediately if under attack. Failure to include this metric means that your mitigation provider does not commit to immediate notification of an attack, and puts the burden on you, your customers, or worse – your boss – to find out on their own.

How Swiftly Will You Divert?

For on-demand DDoS protection deployments, the time it takes the system to initiate diversion is a crucial step to quick mitigation. Any delay in diversion can result in needless downtime. The Time to Divert SLA commits to how fast your mitigation provider will initiate diversion once an attack has been detected. Not having this metric in your SLA likely means that the DDoS mitigation provider lacks the technology or processes to ensure fast diversion, leaving you exposed for longer periods.

How Fast Will You Stop The Attack?

Once an attack has been detected and diverted to a DDoS mitigation provider, the next question is how fast will it take to mitigate the attack The Time-to-Mitigate metric measures the speed with which DDoS mitigation vendors mitigate different types of attacks, based on attack characteristics. Although most providers provide this commitment, there are still many that do not. This is a key metric, and unwillingness to commit to mitigation time should cast serious doubt on their ability to stop attacks.

How Do You Measure Quality of Protection?

Shakespeare said that “a rose, by any other name, would smell just as sweet.” Sadly, the same is not true when it comes to DDoS protection. Apart from the time it takes to mitigate an attack, a key consideration is the quality of mitigation. The Consistency of Mitigation metric provides a baseline to calculate the effectiveness of mitigation, and how much bad traffic is allowed through. A high-level mitigation threshold will only allow less than 5% of attack traffic to go through. Not including a Consistency of Mitigation commitment in your SLA effectively renders Time-to-Mitigate commitments meaningless because vendors can pass almost anything for ‘mitigation’ and claim to meet mitigation SLAs.

How Reliable is Your Service?

Finally, when under attack, you want to be sure that your mitigation service will be available to take over. The Service Availability metric defines uptime requirements for service, and how much downtime will be tolerated on an annual basis. A high-quality service will commit to at-least 99.999% of uptime, which means only about 5 minutes of allowed downtime throughout the year. If your SLA does not include a Service Reliability commitment, that should make you wonder whether it will be there in a time of need.

These six performance indicators are crucial to guarantee the effectiveness of your DDoS protection. These metrics should be outlined in clear, straightforward terms inside your SLA document. If you don’t see them – ask your vendor about how those guarantees are provided and what they commit to. And if you don’t like their answers, perhaps you should look at alternatives.

Nikhil Taneja
Managing Director-India, SAARC & Middle East, Radware