If your organization is debating the merits of a DDoS protection appliance compared to a DDoS scrubbing service, the following is a short explanation of the key differences between these types of DDoS protection solutions.
Before I begin, here’s some background information…In the past, organizations had only two options for handling DDoS attacks: black-holing or scrubbing. Black-holing involves having a carrier or ISP would black-hole the IP address of the DDoS victim, so that all traffic destined for that IP address was discarded by upstream peers. This protected everyone else on the carrier infrastructure, but shut down the victim entirely. In effect, this represents a perfect denial of service, so it’s not at all a true mitigation solution.
The other traditional method is cloud-based scrubbing, which makes use of separate DDoS traffic-cleaning engines. The solution starts with edge routers that monitor the Internet flow to a Website to look for anomalies. These can take the form of an increase in connections or bandwidth usage. Once bursts of attack traffic have been identified, in most cases a human analyst comes on the scene to determine whether intervention is required.
Disadvantages of Cloud-based DDoS Scrubbing:
- It Can Be Expensive. If the analyst decides to enable a response, traffic is then normally re-routed through to a scrubbing center. These are typically hosted in the cloud, and capture DDoS flows and remove as much of the enemy traffic as possible to get customers back up and running. Existing out-of-band scrubbing centers require human intervention, so the costs associated with this approach are substantial; switching to the cloud in each instance of a sub-saturation, short-duration DDoS attack can figuratively speaking, “break the bank.”
Enterprises typically pay a monthly subscription for an on-demand scrubbing service, and then pay additional service fees for scrubbing as needed. This makes budgeting for DDoS attacks unpredictable, and potentially expensive depending on the volume of a DDoS attack. An enterprise can purchase “always-on” cloud services, but that approach tends to be too expensive for most enterprise IT budgets.
- Human Intervention is Less Effective. Human intervention adds latency to the remediation process. The average time that it takes from detection to mitigation in a scrubbing center is 30 minutes. Even the best-equipped organizations can’t get that time below 15 minutes; and those without big-company resources can take days to complete their mitigation efforts. In an always-on world where downtime is a problem, this can have serious consequences.
Furthermore, there is the issue of whether DDoS attacks are even noticed by IT security staff. Corero research has found that low-threshold, short-duration, multi-vector, highly effective quick DDoS strikes are on the rise. Such attacks usually fall “under the radar” of traditional scrubbing solutions; therefore, by the time on-demand scrubbing defenses are engaged, the damage has been done, it’s too late for remediation.
- Traditional Scrubbing Doesn’t Address Multi-layer Attacks. Attackers are increasingly implementing techniques to profile the nature of the target network’s security defenses, and utilizing subsequent techniques to implement second or third attacks designed to circumvent an organization’s layered protection strategy. To defeat these sophisticated attacks, a granular analytics capability is required for customizing detection filters and blocking the attack immediately.
The ideal solution is an on-premises DDoS protection appliance, like Corero’s SmartWall® Threat Defense System, that can, if desired, be paired with an on-demand scrubbing solution. Corero’s SmartWall has an in-line, software-defined architecture that provides automatic threat detection and in-line mitigation; it detects and then cleans traffic in milliseconds as it goes through the system. It eliminates the requirement to manually analyze events, and negates the need to reroute all traffic (good and bad) in order to clean it, before returning it to the network. Furthermore, unlike a hosted scrubbing center, the appliance itself cannot be “DDoS-ed.”
Benefits of the Corero DDoS Protection Appliance:
- In-line, real-time, 365/24/7 detection and blocking
- Zero latency/delay; instant mitigation
- Accurate, precise removal of all types of DDoS threats
- Programmable filters to target zero-day attacks and multi-vectors
- Scalability in increments of 10GB to whatever level is necessary
- Unparalleled analytics and DDoS event visibility.
DDoS attacks are clearly becoming more common, and increasing in volume, so IT security professionals need to address the DDoS threat and decide which solution makes the most sense for their organization. Solutions vary according to total cost of ownership, security effectiveness and performance. When comparing the various solutions, organizations should refer to the most recent NSS Labs DDoS Prevention Solution Value Map, in which Corero received the coveted “Recommended” Rating.