The dilemma for organizations when implementing an effective DDoS defense is whether to deploy on-premises DDoS protection or subscribe to a cloud-based provider. These decisions are not taken lightly, as the threat landscape is wide ranging and increasingly sophisticated.
Organizations outlining their DDoS defense strategy typically begin by looking to out-of-band defenses and anti-DDoS scrubbing-lane approaches for re-routing traffic once an attack has been identified. This approach is a good first step for DDoS prevention; however, it’s only the tip of the iceberg. The recommendation from industry analysts is to execute a two-pronged approach, to include in-line, real time detection and attack mitigation as the primary means for DDoS defense, and cloud anti-DDoS for full pipe saturation attacks.
Here’s why: partial saturation attacks are becoming more commonplace. These DDoS attacks are large (relatively speaking), but only last for a short period of time, and they do not fully saturate the internet link. While these attacks can be devastating to unprotected downstream border defenses, hosted customers or internet-facing services, the motive is most often financial gain or stealing sensitive data. Additionally, these partial saturation events are not long enough in duration for attacks to be detected and re-routed quickly enough for cloud-based DDoS mitigation solutions to provide much, if any benefit.
When assessing DDoS defense strategies, the solutions aren’t like-for-like comparisons. However, there is a suggested approach to protect against the entire spectrum: hybrid on-premise and cloud DDoS mitigation. Let’s look at each of the components.
Cloud Anti-DDoS Solution
DDoS protection, provisioned as a service, is most often an on-demand option for large-scale attacks. Massive volumetric attacks occur when more traffic than the total bandwidth of a network link is sent, which no amount of hardware resources will effectively combat.
Human intervention is critical to an on-demand defense approach – once detected an analyst must then decide to enable the transition to the cloud. In a recent study nearly 50% cited customer complaints as their initial means of DDoS notification. The time from detection to mitigation could range to upwards of one hour with this approach. However, the majority of volumetric attacks last 30 minutes or less. By the time your on-demand defenses are engaged the damage is done.
With out-of-band cloud anti-DDoS, visibility and analysis begin only after the traffic has been re-routed to the scrubbing service, allowing for little if any insight into the attack, eliminating all analysis capabilities.
Some businesses that frequently experience these attacks subscribe to an always-on anti-DDoS cloud solution service. The costs associated with this are substantial. If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization, it’s hard to put a price on uninterrupted service availability.
"If frequent, massive volumetric DDoS attacks are the Achilles’ heel of your organization"
On-Premises Real-Time Defense
Purpose-built DDoS defense solutions are deployed between the internet and the enterprise network. A first-line-of-defense approach prevents outages by inspecting traffic at line-rate and blocking attacks in real time while allowing approved traffic to flow. On-premises, real-time defence enables complete and sophisticated visibility into DDoS security events when deployed at the network edge. Additionally, archived security event data will enable forensic analysis of past threats and compliance reporting of security activity, acting as a strong advantage against attackers when DDoS is utilized as a distraction.
Given its nature, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premises technology is designed to handle volumetric network-based attacks, reflective and amplified spoof attacks as well as application layer attacks.
A Possible Silver Bullet – The Hybrid Approach
In 2014 the SANS Institute reported: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”
The concept of on-demand cloud defense for a pipe saturation attack coupled with always on, on-premises defense provides protection against the whole spectrum. Businesses that engage with their on-demand DDoS mitigation provider can quickly initiate that service based on visibility in the event of a massive volumetric attack. The main benefit of a hybrid approach is that the on-premises device heavily reduces the number of times an organization switches over to the cloud – lowering cost and providing comprehensive and consistent defense.
During the switchover, an on-premises solution would continue to provide the necessary protection for any threats not mitigated by the cloud. Continuous monitoring can show when your organization can return to normal operation and collaborative communication and sharing of information between you and your provider enables comprehensive visibility, enhancing the overall security performance of your network.
The implementation of an always-on solution combined with on-demand cloud defense provides businesses with a means of safeguarding against the vast scope of DDoS attacks posed to their networks. With DDoS attacks now being delivered in various sizes and with differing intentions, ensuring that the appropriate prevention best practices are utilized correctly could well be what saves your organization from falling victim to a major breach of information.
About the Author
Dave Larson is CTO at Corero Network Security. He is responsible for directing the Corero technology strategy, bringing over 20 years’ experience in the network security, data communication and data center infrastructure industries. Most recently, he served as CTO for HP Networking and vice president of the HP Networking Advanced Technology Group. Prior to HP, Larson was vice president of Integrated Product Strategy for TippingPoint and has held senior roles with Tizor Systems, Sandburst Corporation and Xedia Corporation