Myths that Surround Cloud-based DDoS Mitigation

Now that distributed denial of service (DDoS) attacks are a common occurrence for many companies, more organizations are rightfully worried about protecting their servers and web applications. With that concern, comes a slew of advice—some good, some bad—from IT experts about the best anti-DDoS approaches.

Do Not Rely Exclusively on Cloud-Based Mitigation.

One example of bad advice is to suggest that organizations can rely exclusively on cloud-based, on-demand, mitigation.

Why is that a bad idea? Well, it’s a common myth that cloud-based mitigation techniques offer full protection against all types of DDoS attacks. The truth is, cloud-based DDoS mitigation is useful against large, persistent, brute-force volumetric attacks—the kind that send the infamously huge, bandwidth overwhelming floods of traffic to an organization. However, whether it’s these relatively rare attacks, or the daily onslaught of much smaller and shorter attacks, the cloud-based mitigation approach fails to protect in the critical first few minutes or tens of minutes of an attack. This means that much of the damage is already done by the time it activates.

Can You Afford to be Offline for Tens of Minutes?

The key challenge with cloud-based mitigation is the activation delay. Before engaging cloud-based mitigation, the alert needs to be raised and a human analyst must get involved in deciding what to do. Once a decision has been made to off-load the impacted traffic, the security analyst must initiate the redirection and then engage the cloud-based scrubbing service; by the time this process is engaged, 10-20, or more, minutes may have passed. Few online businesses can tolerate being down for that length of time without negative impact. Plus, that’s plenty of time for hackers with a broader agenda to capitalize on the distraction it creates and carry out other nefarious activities, which may well lead to the exfiltration of valuable data.

Most Attacks are Smaller and Shorter Than You Realize

One may think that damaging DDoS attacks are all large in volume and long in duration. However, with the correct lens on the problem you will find that these are just the tip of the iceberg. DDoS attacks which do not saturate Internet links, but still impact stateful infrastructure devices, servers and applications are a daily occurrence. Furthermore, Corero research consistently shows that the vast majority of DDoS attacks are less than a few Gigabits in size and last less than twenty minutes. So, organizations should be mostly concerned about these short, sub-saturating DDoS attacks, which cloud-based mitigation is ill-equipped to deal with.

Save Now, But Pay Later

What about price, you may ask? The price of cloud-based mitigation, as a monthly fee, can seem more affordable, but in the event of an actual attack the cost can be staggering. Depending on the size and duration of the attack, the bill could range from thousands to millions of dollars. When shopping for DDoS attack protection, companies should consider best value for total cost of ownership. Companies need to be concerned about all types of DDoS attacks, and to successfully mitigate these they need real-time protection that is automated, granular and scalable. They can no longer rely on legacy or patchwork approaches to defeating the DDoS threat.