Home / Blogs

Better "Always-On" DDoS Mitigation

Rick Rumbarger

Distributed Denial of Services (DDoS) attacks have been the frustration of information technology professionals for many years. When asked, most tell you they wish their internet service providers (ISPs) would simply provide them "clean pipes" all the time and take care of DDoS attacks upstream before they ever get to them.

Unfortunately, the resources (equipment and personnel) necessary to clean Internet connections all the time are very expensive and come with several downsides. Luckily, progressive DDoS mitigation providers understand that traditional "always-on" mitigation solutions are seldom in the customer's best interest and a hybrid approach is more desirable.

Traditional "always-on" mitigation solutions were developed for companies with mission critical operations or for those who have large penalties associated with their services being unavailable for even a few minutes, as is the case for many financial institutions. Just a few years ago, the only option for companies looking for "always-on" protection was to buy expensive, dedicated, purpose-built perimeter defense mitigation appliances for every ingress point into their network. For these companies, that also meant hiring dedicated, highly compensated specialists to operate the equipment 24/365 as well as maintaining excess Internet circuit capacity to absorb any attacks.

As time went on, it became clear to companies that chose this path that no single manufacturer of purpose-built mitigation appliances was good at detecting and mitigating all types of attacks. The variety of things companies were connecting to the Internet was rapidly increasing (e.g., email, VoIP, video, file shares, portals, etc.) and no matter how much excess Internet circuit capacity they purchased, the attackers could always outsize them with a larger attack.

As a result, many purchasers of traditional "always-on" DDoS mitigation services moved to specialized mitigation service providers with multi-million dollar cloud-based scrubbing nodes that protected groups of customers with multiple layers of purpose-built mitigation appliances, had dedicated staff which fought attacks 24/365, and had massive connections directly tied into the core of the internet.

The problem was this did not alleviate customers' desire to receive an "always-on" service and many cloud- based DDoS mitigation providers reluctantly agreed to provide the service. Unfortunately these providers seldom took the time to educate customers on the downsides of this approach. So, before you consider buying this traditional "always-on" cloud based mitigation service, here are some important things to consider:

  • Mitigating DDoS attacks is more of an art than a science and some legitimate traffic will be blocked while "cleaning" out attack traffic.
  • When large inflows of legitimate traffic (also known in the industry as the Oprah Effect when you receive positive media attention) come through an always-on node, mitigation rules will likely be triggered, potentially blocking legitimate traffic and resulting in a second (this time negative) possible mention in the media.
  • Like all computer systems, scrubbing nodes need to go offline from time to time for maintenance purposes. While some providers have capacity and procedures to deal with this, many do not and, in either case, it is a labor intensive process prone to human error.
  • Mitigation is designed for emergency situations. Adding the additional connection hops and associated latency incurred by flowing traffic to a cloud scrubbing node, processing it, and then delivering it to the customer's hosting site is not typically an issue during an emergency. A mitigation is designed to keep the customer operational, and the additional latency and time in transit is not considered significant. However, the additional latency and consequent degradation in the responsiveness of a customer's site can translate directly to lost business and customers when experienced all the time. The use of proxies (which have their own issues) can reduce the impact of this concern as it relates to static content, but not dynamic content which is typical of most Internet-based communications.
  • One of the most frustrating things for an IT professional can be tracking down system bugs that don't leave logical clues. Having a remote scrubbing node in between a customer's hosted service and either their corporate users or public end users that is designed to filter traffic can create, yet another, very difficult stumbling block and sometimes result in a finger pointing exercise when trying to track down bugs for online hosted applications or services.
  • Lastly a very important thing to consider when looking at traditional "always-on" DDoS mitigation solutions is the impact of collateral damage from other customers on the same service. Because the service to which customers subscribe is shared with many other customers, any time one customer is attacked - other customers on the same infrastructure face a potential impact — even though they are not actually under attack. If they are on the same infrastructure as a controversial, gaming, or adult-oriented customer that is attacked frequently, they are at increased risk of being the victim of collateral damage, up to and including complete outages.

So the question becomes, if you are still a customer who values an "always-on" solution what should you do?

The best answer is to combine dedicated, locally-deployed, fully-managed mitigation appliances to detect and mitigate initial attacks, with a cloud-based mitigation service to which traffic can be moved when the size or complexity of an attack warrants. This is known as a "hybrid always-on" DDoS mitigation solution.

The advantages of this are getting an always-on solution managed by dedicated specialist who can easily swing traffic to a more sophisticated and larger global network of scrubbing nodes as attacks warrant without the exposure to the risks of a shared platform. The disadvantage is cost. This solution is often beyond the budget of smaller customers.

Alternatively, if you are an enterprise who is still very sensitive to downtime, but does not have the budget for a true hybrid solution, your best option is local traffic analysis combined with a pre-configured subscription to a cloud-based mitigation platform from the same provider. The advantages of this solution are early detection and quick traffic routing, which will shorten the impact of attacks --without the exposure to the risks of a shared platform.

In the end, it comes down to budget versus acceptable down time, but in either case traditional always-on DDoS mitigation solutions are no longer the right answer.

By Rick Rumbarger, Technology Executive
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias