By Eyal Arazi December 30, 2020
As we near the end of the year, we can see that in retrospect, 2020 was a record breaker for DDoS. Just during the past 12 months, we witnessed the largest DDoS attack known to date, a global ransom DDoS campaign against financial services, large-scale attacks on gaming services, and – lest we forget COVID – how the coronavirus crisis was exploited by malicious actors.
This rise in both attack size and sophistication has naturally brought about an increase in interest in DDoS protection solutions, as organization seek to protect themselves against this threat.
However, as businesses begin to weigh their options for DDoS protection, many of them quickly realize that DDoS protection can come in a variety of formats, and they must consider which deployment type is best for them: On-Demand cloud service, Always-On cloud service, on-prem appliance, or Hybrid protection?
And the answer, in a nutshell, is that it depends…
It’s very important to realize that there is no such thing as the “best” type of DDoS protection. Rather, different deployment options have different merits and drawbacks, and as a result, are best-suited for different business use cases.
Thus, is becomes a question not of “what is the ‘best’ type of DDoS protection?”, but of “which deployment options are best suited for your needs?”
Traditionally, DDoS protection relied on hardware appliances deployed at the customer’s data centers. Hardware appliances frequently provided advanced protection, low latency, and granular control by network admins.
However, its capacity was constrained by limits of the hardware appliance, or the traffic pipe leading into it. These limits made hardware appliances susceptible to large volumetric attacks which saturated the organization’s traffic pipe. In addition, they required additional management overhead by the organization, large upfront investment (CAPEX) to purchase, and dedicated staff to operate them.
Therefore, standalone hardware appliances are most suited today either for large organizations or service providers who are creating their own mitigation scrubbing centers (usually with multiple such devices), or for organizations that are prevented by national or industry regulations from using cloud security services.
Due to the capacity constraints of hardware appliances, many organizations began looking to cloud-based scrubbing services for a solution. Compared to standalone hardware appliances, cloud scrubbing services offer massive capacity – usually measured in terabits – as well as lower management overhead and more flexible pay-as-you go, subscription-based (OPEX) costs. However, cloud services are more limited in the types of attacks they can protect against, due to the fact that they usually have visibility only to ingress traffic.
The first type of cloud-based DDoS protection is the on-demand service. On-demand service – as its name implies – is activated only once an attack is detected. During peacetime, on a routine basis, traffic flows directly to the customer’s network. Only once an attack is detected is traffic diverted to the cloud scrubbing center, where traffic is ‘scrubbed’ for malicious traffic and only ‘clean’ traffic is sent back to the customer location.
The advantages of the on-demand approach is that since traffic flows on a routine basis directly to the customer location, it does not add any latency during peacetime. On-demand services usually have little operational overhead and do not require day-to-day management or maintenance. In addition, they are usually the cheaper than other deployment types.
The drawbacks of the on-demand cloud service, however, is that attack detection is usually based only on volumetric detection (based on netflow traffic rates), and that traffic diversion – once it takes place – requires a certain window of time (usually a few minutes) until diversion is complete, and the customer will remain vulnerable during this ‘diversion gap’.
Therefore, an on-demand protection is usually best for organizations that are infrequently attacked but want some form of ‘insurance’ in case of attack, with assets that are non-mission-critical and do not mind the ‘diversion gap’ window, as well as for cost-conscious organizations.
An alternative to on-demand protection is an always-on cloud service. Under the always-on model, traffic is routed on a constant basis through a cloud scrubbing center, where it is inspected for DDoS traffic.
The advantages of the always-on model is that it eliminates the need for diversion when there is an attack and provides 24/7 protection. It also allows for more granular detection of attacks, including detection of non-volumetric attacks.
However, it is usually more expensive than an on-demand service, and may add some minor latency to customer communications.
As a result, it is best suited for organizations which frequently come under attack, as well as applications that are not latency sensitive.
The hybrid protection model combines both an on-premise appliance together with a cloud service. This allows protected organizations to enjoy both the advanced capabilities of hardware appliances, along with the massive capacity of a cloud service. As a result, customers can defend against both large and sophisticated attacks, and level multi-layered protection so that if an attack is able to get around the cloud defenses, it will be mitigated by the appliance. However, a hybrid solution is usually more expensive, since it combines both an appliance and a cloud service.
As a result, hybrid protection is usually best for large organizations with mission-critical applications which cannot afford any downtime, particularly in verticals such as banking, ecommerce, or SaaS.
Ultimately, there is no ‘right’ or ‘wrong’ when it comes to choosing a DDoS protection solution. Rather, it depends on what are your needs, constraints and threat profile. Ask yourself which model makes the most sense for you, and also don’t be afraid to mix-and-match protection options for different assets, to create a solution which is specifically tailored to you.