HOME
NEWS

You Still Need That DDoS Appliance… here's why


By VARINDIA - 2019-07-17
You Still Need That DDoS Appliance… here's why

More and more organizations are adopting cloud-based DDoS defenses and substituting them for their old, premise-based DDoS appliances. Nonetheless, there are still a number of reasons why you might want to keep that DDoS appliance around.

 

The Rise of Cloud Protection

 

More and more organizations are deploying cloud-based DDoS mitigation services. Indeed, Frost & Sullivan estimated that by 2021, cloud-based mitigation service will account for 70% of spending on DDoS protection.

 

The reasons for adopting cloud-based protections are numerous. First and foremost, is capacity. As DDoS attacks keep getting bigger, high-volume DDoS attacks capable of saturating the inbound communication pipe are becoming more common. For that reason, having large-scale cloud-based scrubbing capacity to absorb such attacks is indispensable.

 

Moreover, cloud-based DDoS defenses are purchased on a pay-as-you-go SaaS subscription model, so organizations can quickly scale up or down, and don’t need to allocate large amounts of capital expenditure (CAPEX) far in advance. In addition, cloud services usually provide easier management and lower overhead than on-prem equipment, and don’t require dedicated staff to manage.

 

It is no surprise, then, that more and more organizations are looking to the cloud for DDoS protection.

 

The benefits of the cloud notwithstanding, there are still several key reasons why organizations would still want to maintain their hardware appliances, alongside cloud-based services.

 

Two-Way Traffic Visibility

 

Cloud-based services, by definition, only provide visibility into ingress – or inbound – traffic into the organization. They inspect traffic as it flows through to the origin, and scrub-out malicious traffic it identifies. While this is perfectly fine for most types of DDoS attacks, there are certain types of DDoS attacks that require visibility into both traffic channels in order to be detected and mitigated.

 

Examples of attacks that require visibility into egress traffic in order to detect include:

 

Out-of-State Protocol Attacks: These attacks exploit weaknesses in protocol communication process (such as TCP’s three-way handshake) to create “out-of-state” connection requests which exhaust server resources. Although some attacks of this type – such as SYN floods – can be mitigated solely with visibility into ingress traffic only, other types of out-of-state DDoS attacks – such as an ACK flood – require visibility into the outbound channel, as well. Visibility into the egress channel will be required to detect that these ACK responses are not associated with a legitimate SYN/ACK response and can therefore be blocked.

 

Reflection/Amplification Attacks: These attacks take advantage of the asymmetric nature of some protocols or request types in order to launch attacks that will exhaust server resources or saturate the outbound communication channel. An example of such an attack is a large file download attack. In this case, visibility into the egress channel is required to detect the spike in outbound traffic flowing from the network.

 

Scanning attacks: Such attacks frequently bare the hallmarks of a DDoS attack, since they flood the network with large numbers of erroneous connection requests. Such scans frequently generate large numbers of error replies, which can clog-up the outbound channel. Again, visibility into the outbound traffic is required to identify the error response rate relative to legitimate inbound traffic, so that defenses can conclude that an attack is taking place.

 

Application-layer Protection

 

Similarly, relying on a premise-based appliance has certain advantages for application-layer (L7) DDoS protection and SSL handling.

 

Certain types of application-layer(L7) DDoS attacks exploit known protocol weaknesses in order to generate large numbers of forged application requests that exhaust server resources. Examples of such attacks are low-and-slow attacks or application-layer SYN floods, which draw-out TCP and HTTP connections to continuously consume server resources.

 

Again, although some such attacks can be mitigated by cloud scrubbing service, mitigating some types of attacks requires application state-awareness that cloud-based mitigation services usually do not possess.

 

Using a premise-based DDoS mitigation appliance with application-layer DDoS protection capabilities allows organizations to have this.

 

SSL DDoS Protection

 

Moreover, SSL encryption is adding another layer of complexity, as the encryption layers makes it difficult to inspect traffic contents for malicious traffic. In order to inspect traffic contents, cloud-based services must decrypt all traffic, inspect it, scrub-out bad traffic, and re-encrypt it, before forwarding it to the customer origin.

 

As a result, most cloud-based DDoS mitigation services either provide no protection at all for SSL-based traffic, or use full-proxy SSL offloading which require that customers upload their certificates to the service provider’s cloud infrastructure.

 

However, performing full SSL offloading in the cloud is frequently a burdensome process which adds latency to customer communications and violates user privacy. That is why many organizations are hesitant – or don’t have the capability – of sharing their SSL keys with third party cloud service providers.

 

Again, deploying a premise-based appliance allows organizations to protect against SSL DDoS floods while keeping SSL certificates in-house.

 

Layered Protection

 

Finally, using a premise-based hardware appliance in conjunction with a cloud service allows for layered protection in case attack traffic somehow gets through the cloud protection.

 

Using a premise-based appliances allows the organization control directly over device configuration and management. Although many organizations prefer that this be handled by cloud-based managed services, some organizations (and some security managers) prefer to have this deeper level of control.

 

This control also allows security policy granularity, so that security policies can be fine-tuned exactly to the needs of the organizations, and cover attack vectors that the cloud-layer does not – or cannot – cover.

 

Finally, this allows for security failover, so that if malicious traffic somehow gets through the cloud mitigation, the appliance will handle it.

 

The Best Practice: A Hybrid Approach

 

Ultimately, it is up to each organization to decide what is the optimal solution for them, and what type of deployment model (appliance, pure cloud, or hybrid) is best for them.

 

Nonetheless, more and more enterprises are adopting a hybrid approach, combining the best of both worlds between the security granularity of hardware appliances, and the capacity and resilience of cloud services.

 

In particular, an increasingly popular option is an always-on hybrid solution, which combines always-on cloud service together with a hardware DDoS mitigation appliance. Combining these defenses allows for constant, uninterrupted protection against volumetric protection, while also protecting against application-layer and SSL DDoS attacks, while reducing exposure of SSL keys and improving handling of SSL traffic.

 

Nikhil Taneja
Managing Director-India, SAARC & Middle East, Radware

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA