A hybrid approach – rewriting the rules for DDoS defense

DDoS attacks are increasing in frequency
DDoS attacks are increasing in frequency

The dilemma facing many organizations, when it comes to implementing an effective DDoS defense strategy, is whether to deploy on-premises DDoS appliances or subscribe to a cloud-based anti-DDoS provider.

These decisions are not taken lightly, as the DDoS threat landscape is wide ranging – beginning with well-recognized brute-force volumetric attacks, designed to saturate your Internet pipe and disrupt services and infrastructure operations, and extending to application layer attacks that are ‘low and slow’— more difficult to detect.

Regardless of the size or complexity of the attack, the downtime associated with a DDoS event can result in significant revenue losses with some estimates reaching hundreds of thousands of dollars per incident. This doesn’t include aftermath; backpedaling to determine what breaches may have occurred during the event, and how to manage damage control with customers.

Cloud anti-DDoS solution

Massive volumetric attacks occur when an attacker sends significantly more traffic than the total bandwidth of a network link. These link saturation attacks are widely publicized and most commonly associated with DDoS because they are the most obvious and glaring examples of an increasingly nuanced attack vector.

With an on-demand Cloud DDoS defense service that sits out-of-band, human intervention plays a key factor. When an attack is detected, a human security analyst must make the decision to enable the cut-over to the Cloud anti-DDoS provider. The average time between detection and mitigation of an attack ranges to upwards of one hour. Alternatively, the majority of volumetric, high bandwidth consuming attacks last 30 minutes or less; by the time your on-demand defenses are in place, the attack has subsided and the damage is done.

Additionally, with out-of-band Cloud anti-DDoS solutions, visibility into the attack and corresponding analytics begins only after the traffic has been re-routed to the scrubbing service, allowing for very little insight into the security event.

Some businesses that frequently experience large-scale volumetric attacks subscribe to an always-on anti-DDoS cloud solution service. The costs associated with this approach can range into the hundreds of thousands of dollars.

On-premises real-time defense

Purpose-built DDoS defense solutions are appliance-based network security products deployed between the Internet and the enterprise network. A first line of defense approach prevents network and service outages due to DDoS attacks by inspecting traffic at line-rate and blocking attacks in real time, while allowing the good traffic to flow uninterrupted. On-premises DDoS defense enables complete and sophisticated visibility for actionable security intelligence related to DDoS attacks and other cyber threats targeting Internet-facing services.

Given the nature of the deployment, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premises technology is designed to handle volumetric network-based DDoS attacks or floods, reflective and amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks that are nearly impossible to detect with out-of-band DDoS mitigation solutions.

A possible silver bullet – the hybrid approach

As reported by the SANS Institute in early 2014, “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”

Businesses that have engaged with their on-demand provider for back up in the event of a massive volumetric attack can initiate that service in a timelier manner, based on the attack visibility provided by the on-premises solution. Another key benefit of a hybrid approach is that the on-premises device dramatically reduces the frequency in which an organization needs to switchover to cloud-based mitigation, lowering the costs associated with those switchovers and providing always on protection against all forms of DDoS attacks.

This new tactic in the fight against DDoS gives organizations the best of both worlds, by combining the resiliency and scale of cloud-based solutions with the real-time protection, sophisticated visibility, and the granular traffic inspection of on-premises solutions. The hybrid approach is a true first line of defense against the evolving DDoS threat landscape.

  • Dave Larson is CTO and VP of Product at Corero