sb-nz logo
Story image

The best DDoS protection depends on the use case

12 Jan 2021

Article by Radware product marketing manager Eyal Arazi.

2020 was a record-breaker for distributed denial of service (DDoS) attacks. During twelve turbulent months, we witnessed the largest DDoS attack known to date, a global ransom DDoS campaign against financial services, large-scale attacks on gaming services, and the COVID-19 crisis which was exploited by malicious actors.

Naturally, this rise in attack size and sophistication has brought about an increased interest in DDoS protection solutions, as organisations seek to protect themselves against this threat.

However, as businesses begin to weigh their options for DDoS protection, many quickly realise that DDoS protection can come in various formats, and they must consider which deployment type is best for them: on-demand cloud service, always-on cloud service, on-prem appliance, or hybrid protection?

The answer, in a nutshell, is that it all depends.

It's important to realise there is no such thing as the 'best' type of DDoS protection. Rather, different deployment options have different merits and drawbacks, and as a result, are best suited for other business use cases.

So it becomes a question not of 'what is the best type of DDoS protection', but of 'which deployment options are best suited for individual needs?'

Hardware appliance

Traditionally, DDoS protection relied on hardware appliances deployed at the customer's data centres. Hardware appliances frequently provided advanced protection, low latency, and granular control by network admins.

Yet its capacity was constrained by limits of the hardware appliance, or the traffic pipe leading into it. These limits made hardware appliances susceptible to large volumetric attacks which saturated the organisation's traffic pipe. In addition, they required additional management overhead by the organisation, large upfront investment (CAPEX) to purchase, and dedicated staff to operate them.

Thus standalone hardware appliances are most suited today either for large organisations or service providers creating their own mitigation scrubbing centres (usually with multiple such devices) or for organisations that are prevented by national or industry regulations from using cloud security services.

On-demand cloud service

Due to hardware appliances' capacity constraints, many organisations began looking to cloud-based scrubbing services for a solution. Compared to standalone hardware appliances, these services offer massive capacity, usually measured in terabits, as well as lower management overhead and more flexible pay-as-you-go, subscription-based (OPEX) costs.

However, cloud services are more limited in attacks they can protect against since they usually have visibility only to ingress traffic.

The first type of cloud-based DDoS protection is the on-demand service, activated only when an attack is detected. During peacetime, on a routine basis, traffic flows directly to the customer's network. Only when an attack is detected is traffic diverted to the cloud scrubbing centre, where traffic is 'scrubbed' for malicious traffic and only 'clean' traffic is sent back to the customer location.

The advantage of the on-demand approach is that since traffic flows directly to the customer's location, it does not add latency during peacetime. On-demand services usually have little operational overhead and do not require day-to-day management or maintenance. Usually, they are cheaper than other deployment types.

However, with an on-demand cloud service, attack detection is usually based only on volumetric detection (based on netflow traffic rates). Traffic diversion, once it takes place, requires a certain window of time (usually a few minutes) until diversion is complete. The customer will remain vulnerable during this 'diversion gap'.

On-demand protection is usually best for organisations that are attacked infrequently but want some form of 'insurance' in case of attack, with assets that are non-mission-critical and do not mind the 'diversion gap' window, as well as for cost-conscious organisations.

Always-on cloud service

An alternative to on-demand protection is an always-on cloud service. Under this model, traffic is continuously routed through a cloud scrubbing centre, where it is inspected for DDoS traffic.

This model eliminates the need for diversion when there is an attack while providing 24/7 protection and allows for more granular detection of attacks, including detection of non-volumetric attacks.

However, it is usually more expensive than an on-demand service, and may add some minor latency to customer communications.

As a result, it is best suited for organisations that frequently come under attack, and have applications that are not latency-sensitive.

Hybrid protection

Hybrid protection offers the best of both worlds, since it combines an on-premise appliance with a cloud service. This allows protected organisations to enjoy both the advanced capabilities of hardware appliances, along with the massive capacity of a cloud service.

As a result, customers can defend against both large and sophisticated attacks, as well as level multi-layered protection. If an attack can get around the cloud defences, it will be mitigated by the appliance. However, a hybrid solution is usually more expensive, since it combines both an appliance and a cloud service.

As a result, hybrid protection is usually best for large organisations with mission-critical applications which cannot afford any downtime, particularly in verticals such as banking, eCommerce, or SaaS.

Ultimately, there is no 'right' or 'wrong' when choosing a DDoS protection solution. Instead, it depends on an organisation's needs, constraints and threat profile. Consider which model makes the most sense for a specific organisation and don't be afraid to mix-and-match protection options for different assets, to create a solution that is tailored specifically to individual needs.

Story image
UPDATED: RBNZ ascribes data breach to third-party file sharing service
“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information,” says RBNZ Governor.More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Sophos named a Numbering Authority in CVE programme
The programme, which runs an open data registry of vulnerabilities, enables programme stakeholders to correlate vulnerability information used to protect systems against attacks. More
Story image
Microsoft top targeted brand by cyber criminals in Q4 2020
In Q4, 43% of all brand phishing attempts related to Microsoft (up from 19% in Q3), as threat actors continued to try to capitalise on people working remotely during the COVID-19 pandemic’s second wave. More
Story image
Demystifying 'zero trust' and its role in cybersecurity
The principle of ‘zero trust’ in cybersecurity is simple: Trust nothing, and verify everything.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More