What is DDoS Mitigation, and What Kinds of DDoS Protection Solutions Exist?
Distributed denial of service (DDoS) attacks come in different forms, but the common denominator is that they consist of junk traffic that is orchestrated by cybercriminals to bombard their victim. Common targets are servers hosted by the victim, where the attacks block legitimate users by keeping the server busy processing their junk requests, overwhelming the available resources of the operating system, or hosted application. This overloading causes the target to offer a severely degraded service, or even fail completely. Other common volumetric DDoS attacks include those which overwhelm the network itself, saturating links or exhausting the stateful nature of the infrastructure and security devices it encounters.
DDoS attacks once focused purely on sending high volumes of packets to just flood the network—i.e., large-scale attacks that fill network connections with junk traffic to the extent that no legitimate traffic can flow. However, cybercriminals now seldom tend to overwhelm the network connections themselves; indeed, the vast majority of DDoS attacks seen and stopped by Corero do not saturate the links over which they propagate, which is why they can often go unnoticed by human security analysts monitoring their network, when manual DDoS protection techniques are relied upon.
Today’s attacks use new, more sophisticated, techniques, often purposefully employing multiple attack vectors in order to evade traditional DDoS protection. These often short, sub-saturating, attacks are extremely effective at impacting critical services or, even masking other nefarious cybercriminal activities. DDoS attacks which do not saturate links, but still impact stateful infrastructure devices, servers and applications are a daily occurrence. Short, sub-saturating, attacks also cause latency and poor network performance issues, which can still lead to lost revenue, and reputation damage to organizations that rely on the Internet to do business.
Some companies are motivated to look for DDoS protection because they have experienced a large public volumetric attack, while other companies seek a solution to the ongoing issues caused by small, sub-saturating DDoS attacks. And some companies experience both types of DDoS attacks. Regardless, every organization which relies upon the availability of its Internet presence should worry about the impact of modern DDoS attacks that often go unnoticed, or just dismissed as “noise” in the network.
The good news is that solutions are available for organizations to successfully defend against DDoS attacks of all sizes, so that network, application, or service performance is not impacted. When shopping for a DDoS mitigation solution, organizations should determine which kind of protection their business needs. There are basically three options: 1) purchase an on-premises solution; 2) deploy a hybrid combination of an on-premises appliance and a cloud scrubbing center; 3) get protection from their hosting provider or Internet service provider. Below is a summary of the characteristics and benefits of those three options.
- An on-premise, purpose-built DDoS defense solution is best deployed between the Internet and the enterprise network. This first-line-of-defense approach prevents outages by inspecting traffic at line-rate and blocking attacks in real time, while allowing legitimate traffic to flow. On-premises, real-time defense enables comprehensive visibility into DDoS security events when deployed at the network edge. Additionally, the archived security event data enables forensic analysis of past threats for compliance reporting.
- A hybrid combination of on-premises appliances and a cloud scrubbing center provides protection against the whole spectrum of attacks for organizations with modest Internet bandwidth. In the event of a massive volumetric attack which saturates its Internet links, a business can engage their on-demand cloud defense provider to quickly initiate that service. Meanwhile the on-premises appliance mitigates the smaller non-saturating attacks and any residuals not blocked when the cloud scrubbing is active. A key benefit of the hybrid approach is that the on-premises device heavily reduces the number of times an organization switches over to the cloud, which lowers costs and provides a real-time, comprehensive and consistent defense.
- DDoS Protection as a Service (DDPaaS) is increasingly offered by more Internet service providers (ISPs). This solution simplifies life for enterprise IT security teams because it’s like outsourcing your DDoS protection; the ISP guarantees that you get only clean traffic delivered to your network.
A Bad Approach to DDoS Mitigation
It is not recommended that organizations rely exclusively on cloud-based, on-demand, mitigation. Why? Simply put, cloud-based mitigation techniques don’t offer full protection against all types of DDoS attacks. Cloud-based DDoS mitigation is useful against large, persistent, brute-force volumetric attacks—the kind that send the infamously huge, bandwidth overwhelming floods of traffic to an organization—but, they are not able to deal with short, sub-saturating DDoS attacks, as the typical time to swing traffic means the attack is already over.
Whether it’s the relatively rare massive volume attacks, or the daily onslaught of much smaller and shorter attacks, the cloud-based mitigation approach fails to protect in the critical first few minutes or tens of minutes of an attack. Before engaging cloud-based mitigation, the alert needs to be raised and a human analyst must get involved in deciding what to do. Once a decision has been made to off-load the impacted traffic, the security analyst must initiate the redirection and then engage the cloud-based scrubbing service; by the time this process is engaged, 10-20, or more, minutes may have passed. This means that much of the damage is already done by the time it activates. Few online businesses can tolerate being down for that length of time without negative impact. Plus, that’s plenty of time for hackers with a broader agenda to capitalize on the distraction it creates and carry out other nefarious activities, which may well lead to the exfiltration of valuable data.
Save Now, But Pay Later
What about price, you may ask? The price of cloud-based mitigation as a monthly fee can seem more affordable, but in the event of an actual attack the cost can be staggering, depending on the size and duration of the attack. When shopping for DDoS attack protection, companies should consider best value for total cost of ownership. Companies need to be concerned about all types of DDoS attacks, and to successfully mitigate these they need real-time protection that is automated, granular and scalable. They should no longer rely on legacy or patchwork approaches to defeating the DDoS threat.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.