By Nikhil Taneja, Managing Director – INDIA & SAARC, Radware
Distributed denial of service (DDoS) attacks have caused severe service interruptions and financial damages to organizations throughout 2015. Radware’s 2015-2016 Global Application and Network Security Report revealed that over 50% of organizations have experienced some type of DDoS attack in 2015. Yet, as much as 50% of the organizations cited that they are unprepared for such attacks.
DDoS attacks are increasing in quantity and severity as these attacks become increasingly complex and persistent. Typical DDoS attacks have evolved to include simultaneous multiple attack vectors that test simple mitigation techniques. Attacks using dynamic IP attacks that challenge mitigation through simple blacklisting are now ubiquitous. Volumetric network-level DDoS attacks at staggering throughput rates of hundreds of Gbps and hundreds of millions of packets per seconds have become commonplace, disabling organizations’ network and infrastructure.
Fortunately, there are good solutions to address the threat of DDoS attacks. Solutions include DDoS protection appliances installed on-premise as well as cloud-based DDoS protection services that can be consumed either on-demand or via always-on deployments. Another alternative for DDoS protection is a hybrid approach which combines on-premise DDoS protection appliances and cloud DDoS protection services to provide a robust protection suite. Each of these approaches for deploying DDoS protection has its own benefits, but also bears some challenges. The most appropriate approach for the deployment of DDoS protection depends on the organization’s IT architecture and business needs.
On-Premise DDoS Protection Appliances
DDoS protection appliances are powerful technologies that mitigate DDoS attacks. Installed on-premise in the organizations’ data center, the best of these appliances detect and mitigate DDoS attacks at all layers, including network-layer, SSL-based and application-layer DDoS attacks.
Using DDoS protection appliances on-premise has several benefits, as the time it takes to detect and mitigate DDoS attacks is usually minimal compared to other approaches. Since the organization’s inbound traffic is not diverted or routed through a cloud DDoS protection service, minimal latency is added in peacetime or during an attack. In addition, when using on-premise appliances that include SSL-based DDoS protection, there is no need to share the organization’s certificates with a third party. Also, by handling all traffic with on-premise appliances, the organization can avoid potential regulatory challenges associated with sharing its traffic with a third-party service provider such as Privacy Acts and PCI-DSS certification.
Unfortunately, there is one thing that on-premise, DDoS protection appliances cannot do: provide protection against massive volumetric DDoS attacks that saturate the internet pipe. Massive volumetric DDoS attacks use
throughput rates of hundreds of Gbps and hundreds of millions of packets per seconds to overwhelm upstream networking gear, rendering any downstream appliance installed on-premises.
Cloud-based DDoS protection services allow enterprises to overcome these challenges. Using cloud-based scrubbing centers strategically deployed worldwide and interconnected for global load balancing, these cloud-based DDoS protection services can absorb volumetric DDoS attacks several orders of magnitude larger than any organization is capable of handling.
On-Demand Cloud-Based DDoS Protection Services
In on-demand cloud-based DDoS protection services, the detection of DDoS attacks is usually done via the
remote monitoring of the internet link utilization by collecting flow statistics or router SNMP data on periodic
basis, usually every few seconds. Upon the breach of a certain threshold (commonly 70% utilization of the link capacity), the cloud DDoS protection service initiates a diversion of the inbound traffic to the nearest cloud scrubbing center where attack vectors are detected and mitigated so that only legitimate traffic returns to the organization. The merits of on-demand cloud-based DDoS protection services are its simple deployment, as no on-premise appliance is required, and the fact that there is no induced latency in peacetime as traffic is diverted to the cloud DDoS protection service only upon an attack.
On-demand cloud-based DDoS protection services feature several drawbacks. First, as the detection of DDoS attacks is based on the remote monitoring of the internet link utilization, there is no visibility into any
DDoS attack beyond the network layer. Secondly, on-demand cloud DDoS protection is based on diverting the traffic to the cloud service upon a DDoS attack usually based on DNS or BGP diversion techniques. Unfortunately, these diversions always take time, ranging from a few minutes to several hours, during which the on-going DDoS attack may cause severe service disruption to the organization. In addition, the on-demand approach is ineffective in protecting applications hosted on a public cloud as there is usually no access to link utilization data of the public cloud infrastructure.
Always-On Cloud-Based DDoS Protection Service
In always-on cloud-based DDoS protection services, the organization’s traffic are always routed through the local PoP of the cloud DDoS protection service, including in peacetime. This allows the cloud service to detect and mitigate all types of DDoS attacks at all layers, including SSL-based and application-layer attacks, before they interrupt the organization’s services.
The always-on deployment alternative is highly compelling, as it offers a ‘hands off’ approach for DDoS protection. By opting for always-on cloud DDoS protection services, enterprises fully outsource DDoS attack detection and mitigation to a third-party expert, requiring minimal resources from the enterprise’s IT organization. Also, here there is no need for traffic diversions, minimizing the time it takes from detection to mitigation of DDoS attacks is minimal, and no service interruption is induced. In addition, always-on features the only approach to provide DDoS protections to applications hosted in the cloud.
Unfortunately, always-on cloud DDoS protection services also feature several key drawbacks. As traffic is
always routed through the cloud service, some additional latency is induced, including during peacetime. This can be a critical shortcoming for latency-sensitive services such as real-time transactional applications. Secondly, it’s more expensive than the on-demand approach, as the organization’s traffic is always handled by
the cloud service, including during peacetime.
Hybrid Cloud DDoS Protection Service
Hybrid cloud DDoS protection services, in which on-premise DDoS protection appliances are coupled with a cloud DDoS protection service, allows organizations to enjoy most of the benefits of the various deployment alternatives while avoiding most of their drawbacks. In the hybrid approach, an on-premise DDoS protection appliance detects and mitigates DDoS attacks at all layers, including network-layer, SSL-based and application-layer attacks. In the event of a massive volumetric DDoS attack that saturates the internet link, traffic is routed to the nearest cloud scrubbing center, where attack vectors are detected and mitigated. This hybrid approach provides fastest time to mitigate of most DDoS attacks as DDoS assaults are mitigated on-premise and only volumetric attacks are diverted to the cloud. For the same reason, the hybrid approach allows organizations to enjoy minimal latency during peacetime.
Yet, the hybrid approach also features several challenges. First, as the hybrid approach is based on an on premise DDoS mitigation appliance, it cannot provide an effective DDoS protection to applications hosted
in the cloud. Secondly, if the on-premise DDoS solution and the cloud-based DDoS service do not share protection policies and signatures in real time, it can take up to 30 minutes to mitigate a volumetric DDoS attack following diversion to a cloud scrubbing center. This is a common pitfall when the DDoS protection appliance and the cloud scrubbing service are provided by different vendors.
What’s the best fit for my organization?
The most appropriate approach depends on the organization’s IT architecture and business needs. Several
questions should be answered prior to choosing the optimal solution:
- Are the assets that require protection hosted on-premise, in the cloud, or across both via a hybrid deployment model?
- Does the organization have the capacity and expertise to install, configure and manage an on-premise DDoS protection appliance?
- What is the level of sensitivity of the different enterprise services to additional latency during peacetime?
- How sensitive is the organization to SSL-based and application-level attacks, beyond network-layer attacks?
- How sensitive is the organization to the service disruption that may be induced during diversions?
Conclusion:
To create the ideal DDoS protection solution, organizations are advised to consider deploying a combination of approaches;
- In general, the hybrid approach is the best fit for organizations that have applications on-premise and have the capacity and expertise to handle on-premise appliances. In this case, the hybrid approach provides the fastest time to mitigate most DDoS attacks and the lowest induced latency in peacetime. However, the hybrid approach must be complemented by an always-on cloud DDoS protection service to any applications the organization has that are hosted in the cloud.
- To minimize time to mitigate volumetric attacks after diversions, it would be best to choose on-premise DDoS protection appliances and the cloud DDoS protection service that share traffic protection policies and signatures in real time. This means implementing both solutions from the same vendor.
- The always-on approach is the best fit, and in fact the only solution, for protecting applications that are hosted in the cloud. It is best fit for organizations that lack in-house resources and expertise to handle DDoS threats and seek peace of mind by fully outsourcing DDoS protection services to an expert organization.
- The on-demand approach is typically the most economical one. It is a good fit for organizations that have
applications on-premise, are less concerned about SSL-based and application-level DDoS attacks, and are
less sensitive to the time it takes to mitigate large volumetric attacks
Radware’s Cloud DDoS Protection Services
Radware provides a full suite of cloud DDoS protection services that can be deployed in either Hybrid, Always-On or On-Demand cloud DDoS protection services. Organizations can opt to implement one of these deployment alternatives, or choose a combination and benefit from:
- Radware’s battle-proven Emergency Response Team (ERT) for on-premise and cloud-based deployments.
- Global network of scrubbing centers with over 2Tbps mitigation capacity and Cloud DDoS Protection Services that are built to detect and mitigate all types of DDoS attacks.
- Market-leading DDoS mitigation appliances, featuring the only cloud DDoS protection service that can
automatically generate protections for zero-day attacks within seconds.
- A unique patent-protect technology for mitigating SSL-based attacks, Cloud DDoS Protection Services
maintains user data confidentiality and removes the operational dependencies between service provider and the organizations when keys are changed.
- Defense Messaging, a signaling mechanism that shares protection policies and signatures between
Radware’s DDoS protection appliances and Radware’s cloud security nodes in real time, minimizing
mitigation times of DDoS attacks upon diverting traffic to the cloud