Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.