In this article

This article was written and contributed by Netscout. 

What is the best protection for my business?

If you are asking this question, then it's likely you already know the frequency of DDoS attacks is on the rise or you may have already fallen victim to these attacks.  Just as web-based services have become critical to your business, bad actors have developed more sophisticated attack strategies to threaten their availability.  You really have three options: a cloud-based service, on-premises protection, or a layered, hybrid approach combining the two.

Cloud-based mitigation services 

CDN vendors who offer DDoS protection do so under the promise of convenience. Use their Always-On service with automated detection and your DDoS problems will be solved. That sounds great until you understand the consequences. 

  • Degraded User Experience

In Always-On DDoS mitigation services traffic must be permanently diverted through the cloud mitigation provider's network, whether an attack is present or not. This diversion can degrade the user experience through increased latency. 

  • Limited Protocols 

Many CDN service providers use reverse proxies to receive suspect traffic; protection is generally limited to HTTP or HTTPS (SSL) protocols. Yet modern DDoS attacks can take many forms, shifting attack vectors to non-HTTP protocols and potentially overwhelming individual proxy nodes leading to partial outages. 

  • On-Going Vulnerability 

A proxy server must continue to reach the targeted service to retrieve content and supply user data. This means the targeted service is still on the internet and vulnerable to attackers if they discover its true address allowing attackers to completely bypass the cloud mitigation providers network. 

  • Premium Cost 

Always-On mitigation services must incorporate into the price mitigating every DDoS attack no matter how small. Their service price necessarily presumes each customer will be attacked frequently, leading to high monthly or annual fees and overall, a poor total cost of ownership (TCO) for the customer. 

CDN-based DDoS services certainly promise convenience, but at what cost?

On-premise mitigation systems

Many firewall vendors are now offering DDoS protection. What customers are getting is nothing more than a false sense of security. While firewalls do stop some DDoS attacks – they are not capable of stop all types of attacks and they often become the targets of attacks themselves. They are effective tools in addressing network integrity and confidentiality, but with DDoS protection, they provide a false sense of security, because they fail to address the fundamental concern regarding DDoS attacks – network availability. 

According to Arbor's 13th Annual Worldwide Infrastructure Security Report: 

  • More than half of Enterprise, Government and Education (EGE) respondents had firewall or IPS device experience a failure or contribute to an outage during an attack, similar to last year.
  • Firewalls, load balancers, and CDNs all tied for last place in effectiveness at mitigating DDoS attacks.
  • For those that could quantify their downtime, 38 percent reported the cost at $501 to $1,000 per minute, up significantly from 23 percent in the previous year.

It's clear that relying on firewalls alone can prove to be extremely costly. 

DDoS is a complex; dynamic attack type and it requires a purpose-built solution. Intelligent DDoS Mitigation Systems (IDMS) provide greater protection, faster mitigation, and more control. 

The fact is eighty percent of DDoS attacks are less than 1Gbps, and these can be mitigated faster, many times automatically, via an on-premises IDMS. IDMS can be multi-protocol, meaning they can detect and mitigate whatever attackers throw at the targeted service. Being part of the host network means IDMS can surgically remove attack traffic at the lowest level before the attack traffic penetrates and impacts any other network component. 

Since most attacks can be managed on-premises, the one-time cost of IDMS extends value over many DDoS events, and into the future. Depending upon the degree of intelligence and automation – and the nature of your business – the TCO for IDMS can be less than cloud-based mitigation, certainly less than CDN-based Always-On cloud services. Also, keeping traffic out of a third-party network and solely connected to the internet (unlike a CDN) preserves the ideal traffic paths for optimal user experience for all the times a service is not under attack.

So what does a hybrid approach add?  

Of course, it is volumetric attacks that have grabbed the headlines (think Mirai).  According to respondents of Arbor's 13th Annual Worldwide Infrastructure Security Report, the largest attack in 2017 was 600 Gbps.  Multi-hundred Gbps attacks have become commonplace. Now that attackers have started exploiting IoT devices in earnest, experts are predicting that attacks north of 1Tbps are not far away. The experts were correct.  In March 2018 there was a recorded 1.7Tbps Memcached DDoS attack. Industry best practice today requires both on-premises IDMS and cloud-based mitigation. Effective DDoS defense is no longer an either-or question. Leading enterprises are getting the message; thirty eight percent of respondents to the Arbor's 13th Annual Worldwide Infrastructure Security Report survey indicated a layered, hybrid approach to DDoS mitigation was the fastest growing strategy, increasing 30% over the past year. 

Having this multi-layer approach is the right architecture, but tight integration between on-premises solutions with cloud services is the key. When a DDoS attack does saturate the in-bound internet circuit, the on-premises technology should automatically signal the cloud component to temporarily divert traffic to one or more scrubbing facilities. This scrubbing can filter out terabits of attack traffic before securely delivering clean traffic to the target network. This kind integration must be fast, leveraging the cloud for high volume attacks, and removing the ability for attack traffic to overwhelm onpremise defenses. 

Understanding that most DDoS attacks can be mitigated by IDMS technology on-premises, a well-integrated cloud component should be considered insurance, not the first line of defense.

Learn more about NetScout and DDoS attack mitigation Speak with an expert