The Advantages of Hybrid DDoS Protection

There are various ways to protect a network or web application from distributed denial of service (DDoS) attacks, so an organization must weigh the advantages and disadvantages of each defense method, according to its needs, risks, and budget. In short, an organization has four key options: a completely on-premises solution, DDoS Protection as a Service (DDPaaS) from an Internet Service Provider, a cloud-based mitigation service, or a hybrid combination of on-premises with cloud scrubbing for attacks that exceed the Internet link capacity. This blog post discusses the advantages of hybrid DDoS protection.

Weigh Cost versus Risk

These days almost any organization is vulnerable to DDoS attacks, even if it is not particularly high-profile. Cybercriminals launch attacks indiscriminately at times, or purposefully, with the intent to damage an organization. Most organizations now depend upon having reliable and always available Internet connectivity to conduct business, but not every organization is equally damaged by downtime. For example, a hosting provider that has service level agreements (SLAs) with thousands of customers would suffer greatly from any lapse in availability, losing brand reputation, revenue and customer trust.

Saturating versus Non-Saturating DDoS Attacks

There are dozens of DDoS attack mechanisms, ranging from DNS reflections to UDP Floods. Irrespective of the mechanism used, attacks fall into two categories: saturating and sub-saturating. Saturating attacks overwhelm the entire internet connection, stopping legitimate traffic from getting through, and are often associated with massive botnets. Of course, this depends not only on the size of the attack, but also the bandwidth of your internet connection(s). Corero research consistently shows that the vast majority (over 98%) of DDoS attacks are less than 10Gbps in size.  If your aggregate Internet bandwidth is higher than 10Gbps, then the chances of experiencing a saturating attack are exceedingly low.  On the other hand, if your Internet bandwidth is a few Gigabits per second, or much less, then there is a higher chance that some of the attacks you experience will be saturating.

Cloud versus On-Premises Solutions

Cloud-based mitigation is necessary to defend against DDoS attacks that are larger than your internet bandwidth—the kind that result in the infamously huge, overwhelming, floods of traffic to an unsuspecting organization. However, on-demand cloud mitigation is not, and can never be, truly real-time, so cannot deliver protection without at least some degree of downtime.  This can be from minutes, to tens-of-minutes, depending on the chosen provider. Corero research also shows that the vast majority of DDoS attacks are short (less than ten minutes) and sub-saturating (over 75% are less than 1Gbps) so the typical time to swing traffic to cloud scrubbing means the attack is often already over.

In contrast to cloud-based mitigation, always-on on-premises DDoS solutions are perfect for defending against the vast majority of attacks a typical organization is likely to experience, as these are non-saturating and can just be dealt with locally. On-premises, always-on, solutions can deliver this local protection instantaneously, preventing any amount of downtime for the applications and services being protected.

However, a combination of the two – a hybrid of an on-premises, always-on, solution and cloud scrubbing – offers the ultimate protection against the whole spectrum of attacks for organizations with typical amounts of Internet bandwidth. In the event of a massive volumetric attack, that saturates an organization’s Internet links, the on-demand cloud protection will be activated. Meanwhile, the on-premises solution mitigates all the smaller, non-saturating, attacks and any residuals not blocked when the cloud scrubbing is active, to ensure applications and services are not impacted and do not suffer any downtime.

A key benefit of the hybrid approach, is that the on-premises solution significantly reduces the number of times an organization engages the cloud protection.  This lowers costs while delivering a real-time, comprehensive and consistent defense. Another benefit is that during the minutes, to tens-of-minutes, that the cloud service activation is in process, the attack will still be stopped by the on-premises solution.

Constant, Always-on Protection

For organizations that cannot tolerate any downtime, the best choice is a fully integrated hybrid DDoS protection solution that delivers on-premises, always-on, real-time DDoS protection, with coordinated automatic cloud backup, to defend against even the largest DDoS attacks.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions deliver protection for on-premise, cloud, virtual and hybrid environments, without the downtime associated with other solutions. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.