OK, tell me how DDoS protection even can be secret.
Do you have a cyber security background that I’m unaware of? It seems like you have strong feelings about the field, but this is more of a non sequitur than anything else.
In any security system, you need to make a strong distinction between information which can and should be secret, and information which can’t or shouldn’t. If I tell you that I’m transmitting a message using RSA encryption, then I’m giving away nothing. If I tell you what private key I’m using to encrypt my message, then you’ll eventually figure out what encryption method I’m using that key with.
Security by obscurity is an especially bad idea in cybersecurity, because for any given cybersecurity task, there are a very small number of good solutions, and a very large number of terrible solutions, and the small number of good solutions are all well-known. So if you make an effort to avoid the well-known solutions, you’re likely to end up with a terrible solution.
I specifically noted that security by obscurity is insufficient. I disagree that you need to (or should) tell others what your protection is. For example, a shopping website might disclose their vendor (McAfee or Norton say) to assure customers their data is protected. They don’t tell customers exactly how that works.
That’s certainly one way to operate, but I’d disagree – McAfee should disclose exactly how it works, because then security flaws in their methods can be identified and fixed by white hats before exploits are developed. This is the entire concept behind open source software. Most of the internet’s security apparatus is open source so, yes, everyone knows exactly how it works. See the Heartbleed bug from a few years back for an example how removing all obscurity makes things more secure.
Obviously there are differing opinions, and some companies prefer proprietary, secret security code. But even right here, the SDMB is run on vBulletin, which isn’t open source but the code is published so anyone can find security flaws.
eta: In reference to Heartbleed, we see one of the limited cases where secrecy is important. That is, knowledge of the vulnerability was kept secret by a select few individuals until a patch was ready. That’s good security, so there is a place for secrecy.
The SDMB IP address tells you a lot. You can infer security by knowing the ISP.
This. Not revealing what your vulnerabilities are is not worse than revealing them, so all else being equal, why say what your security is?
I could understand it if a billion dollar company with millions of peoples personal information were at stake. Then the million people could collectively criticize the security and move it toward rock solidness, and you may as well tell everyone what your security is because the organized criminals trying to hack in will find out anyway.
This is the opposite of that. There isn’t enough money and users in the Dope for crowdsourced security, and I’m not sure if there is enough money in it for criminals to try to find out what the security is, whereas if it were given on a golden platter they might try it for the lulz or for practice.
Impossible, in this case, showing that security through obscurity is utterly irrelevant to DDoS protection.
I really wish the people who didn’t know what they were talking about would stay out of these threads.
I have no idea what you think DDoS protection is or why you think its presence or implementation would or should be obvious to anyone who isn’t involved in network security at the company prior to the time it’s needed. I’m done engaging with you on this.
Moderator Action
Since this is getting a bit snippy, and the OP has been answered about as well as it can be under the circumstances, I am going to close this.