HOME
NEWS

On-Demand, Always-on, or Hybrid? Choosing an Optimal Solution for DDoS Protection


By VARINDIA - 2016-11-18
On-Demand, Always-on, or Hybrid? Choosing an Optimal Solution for DDoS Protection

Distributed denial of service (DDoS) attacks have caused severe service interruptions and financial damages to organizations throughout 2015. Radware’s 2015-2016 Global Application and Network Security Report revealed that over 50% of organizations have experienced some type of DDoS attack in 2015. Yet, as much as 50% of the organizations cited that they are unprepared for such attacks.

DDoS attacks are increasing in quantity and severity as these attacks become increasingly complex and persistent. Typical DDoS attacks have evolved to include simultaneous multiple attack vectors that test simple mitigation techniques. Attacks using dynamic IP attacks that challenge mitigation through simple blacklisting are now ubiquitous. Volumetric network-level DDoS attacks at staggering throughput rates of hundreds of Gbps and hundreds of millions of packets per seconds have become commonplace, disabling organizations’ network and infrastructure.

Fortunately, there are good solutions to address the threat of DDoS attacks. Solutions include DDoS protection appliances installed on-premise as well as cloud-based DDoS protection services that can be consumed either on-demand or via always-on deployments. Another alternative for DDoS protection is a hybrid approach which combines on-premise DDoS protection appliances and cloud DDoS protection services to provide a robust protection suite. Each of these approaches for deploying DDoS protection has its own benefits, but also bears some challenges. The most appropriate approach for the deployment of DDoS protection depends on the organization’s IT architecture and business needs.

On-Premise DDoS Protection Appliances

DDoS protection appliances are powerful technologies that mitigate DDoS attacks. Installed on-premise in the organizations’ data center, the best of these appliances detect and mitigate DDoS attacks at all layers, including network-layer, SSL-based and application-layer DDoS attacks.

Using DDoS protection appliances on-premise has several benefits, as the time it takes to detect and mitigate DDoS attacks is usually minimal compared to other approaches. Since the organization’s inbound traffic is not diverted or routed through a cloud DDoS protection service, minimal latency is added in peacetime or during an attack. In addition, when using on-premise appliances that include SSL-based DDoS protection, there is no need to share the organization’s certificates with a third party. Also, by handling all traffic with on-premise appliances, the organization can avoid potential regulatory challenges associated with sharing its traffic with a third-party service provider such as Privacy Acts and PCI-DSS certification.

Unfortunately, there is one thing that on-premise, DDoS protection appliances cannot do: provide protection against massive volumetric DDoS attacks that saturate the internet pipe. Massive volumetric DDoS attacks use throughput rates of hundreds of Gbps and hundreds of millions of packets per seconds to overwhelm upstream networking gear, rendering any downstream appliance installed on-premises.

Cloud-based DDoS protection services allow enterprises to overcome these challenges. Using cloud-based scrubbing centers strategically deployed worldwide and interconnected for global load balancing, these cloud-based DDoS protection services can absorb volumetric DDoS attacks several orders of magnitude larger than any organization is capable of handling.

On-Demand Cloud-Based DDoS Protection Services

In on-demand cloud-based DDoS protection services, the detection of DDoS attacks is usually done via the

remote monitoring of the internet link utilization by collecting flow statistics or router SNMP data on periodic

basis, usually every few seconds. Upon the breach of a certain threshold (commonly 70% utilization of the link capacity), the cloud DDoS protection service initiates a diversion of the inbound traffic to the nearest cloud scrubbing center where attack vectors are detected and mitigated so that only legitimate traffic returns to the organization. The merits of on-demand cloud-based DDoS protection services are its simple deployment, as no on-premise appliance is required, and the fact that there is no induced latency in peacetime as traffic is diverted to the cloud DDoS protection service only upon an attack.

On-demand cloud-based DDoS protection services feature several drawbacks. First, as the detection ofDDoS attacks is based on the remote monitoring of the internet link utilization, there is no visibility into any

DDoS attack beyond the network layer.Secondly, on-demand cloud DDoS protection is based on diverting the traffic to the cloud service upon a DDoS attack usually based on DNS or BGP diversion techniques. Unfortunately, these diversions always take time, ranging from a few minutes to several hours, during which the on-going DDoS attack may cause severe service disruption to the organization. In addition, the on-demand approach is ineffective in protecting applications hosted on a public cloud as there is usually no access to link utilization data of the public cloud infrastructure.

Always-On Cloud-Based DDoS Protection Service

In always-on cloud-based DDoS protection services, the organization’s traffic are always routed through the local PoP of the cloud DDoS protectionservice, including in peacetime. This allows the cloud service to detect and mitigate all types of DDoS attacks at all layers, including SSL-based and application-layer attacks, before they interrupt the organization’s services.

The always-on deployment alternative is highly compelling, as it offers a ‘hands off’ approach for DDoS protection. By opting for always-on cloud DDoS protection services, enterprises fully outsource DDoS attack detection and mitigation to a third-party expert, requiring minimal resources from the enterprise’s IT organization. Also, here there is no need for traffic diversions, minimizing the time it takes from detection to mitigation of DDoS attacks is minimal, and no service interruption is induced. In addition, always-on features the only approach to provide DDoS protections to applications hosted in the cloud.

Unfortunately, always-on cloud DDoS protection services also feature several key drawbacks. As traffic is

always routed through the cloud service, some additional latency is induced, including during peacetime. This can be a critical shortcoming for latency-sensitive services such as real-time transactional applications. Secondly, it’s more expensive than the on-demand approach, as the organization’s traffic is always handled by

the cloud service, including during peacetime.

Hybrid Cloud DDoS Protection Service

Hybrid cloud DDoS protection services, in which on-premise DDoS protection appliances are coupledwith a cloud DDoS protection service, allows organizations to enjoy most of the benefits of the various deployment alternatives while avoiding most of their drawbacks. In the hybrid approach, an on-premise DDoS protection appliance detects and mitigates DDoS attacks at all layers, including network-layer, SSL-based and application-layer attacks. In the event of a massive volumetric DDoS attack that saturates the internet link, traffic is routed to the nearest cloud scrubbing center, where attack vectors are detected and mitigated. This hybrid approach provides fastest time to mitigate of most DDoS attacks as DDoS assaults are mitigated on-premise and only volumetric attacks are diverted to the cloud. For the same reason, the hybrid approach allows organizations to enjoy minimal latency during peacetime.

Yet, the hybrid approach also features several challenges. First, as the hybrid approach is based on an on premise DDoS mitigation appliance, it cannot provide an effective DDoS protection to applications hosted

in the cloud. Secondly, if the on-premise DDoS solution and the cloud-based DDoS service do not share protection policies and signatures in real time, it can take up to 30 minutes to mitigate a volumetric DDoS attack following diversion to a cloud scrubbing center. This is a common pitfall when the DDoS protection appliance and the cloud scrubbing service are provided by different vendors.

What’s the best fit for my organization?

The most appropriate approach depends on the organization’s IT architecture and business needs. Several

questions should be answered prior to choosing the optimal solution:

 

• Are the assets that require protection hosted on-premise, in the cloud, or across both via a hybriddeployment model?

 

• Does the organization have the capacity and expertise to install, configure and manage an on-premise DDoS protection appliance?

 

• What is the level of sensitivity of the different enterprise services to additional latency during peacetime?

 

• How sensitive is the organization to SSL-based and application-level attacks, beyond network-layer attacks?

 

• How sensitive is the organization to the service disruption that may be induced during diversions?

 

Conclusion:

To create the ideal DDoS protection solution, organizations are advised to consider deploying a combination of approaches;

  • In general, the hybrid approach is the best fit for organizations that have applications on-premise and have the capacity and expertise to handle on-premise appliances. In this case, the hybrid approach provides the fastest time to mitigate most DDoS attacks and the lowest induced latency in peacetime. However, the hybrid approach must be complemented by an always-on cloud DDoS protection service to any applications the organization has that are hosted in the cloud.

 

  • To minimizetime to mitigate volumetric attacks after diversions, it would be best to choose on-premise DDoS protectionappliances and the cloud DDoS protection service that share traffic protection policies and signatures in realtime. This means implementing both solutions from the same vendor.

 

  • The always-on approach is the best fit, and in fact the only solution, for protecting applications that are hostedin the cloud. It is best fit for organizations that lack in-house resources and expertise to handle DDoS threatsand seek peace of mind by fully outsourcing DDoS protection services to an expert organization.

 

  • The on-demand approach is typically the most economical one. It is a good fit for organizations that have

applications on-premise, are less concerned about SSL-based and application-level DDoS attacks, and are

less sensitive to the time it takes to mitigate large volumetric attacks

 

Radware’s Cloud DDoS Protection Services

Radware provides a full suite of cloud DDoS protection services that can be deployed in either Hybrid, Always-On or On-Demand cloud DDoS protection services. Organizations can opt to implement one of these deployment alternatives, or choose a combination and benefit from:

 

• Radware's battle-proven Emergency Response Team (ERT) for on-premise and cloud-based deployments.

• Global network of scrubbing centers with over 2Tbps mitigation capacity and Cloud DDoS Protection Services that are built to detect and mitigate all types of DDoS attacks.

• Market-leading DDoS mitigation appliances, featuring the only cloud DDoS protection service that can automatically generate protections for zero-day attacks within seconds.

• A unique patent-protect technology for mitigating SSL-based attacks, Cloud DDoS Protection Services maintains user data confidentiality and removes the operational dependencies between service provider and the organizations when keys are changed.

• Defense Messaging, a signaling mechanism that shares protection policies and signatures between Radware's DDoS protection appliances and Radware's cloud security nodes in real time, minimizing mitigation times of DDoS attacks upon diverting traffic to the cloud     

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA