Better "Always-On" DDoS Mitigation

By Rick Rumbarger
Rick Rumbarger

Distributed Denial of Services (DDoS) attacks have been the frustration of information technology professionals for many years. When asked, most tell you they wish their internet service providers (ISPs) would simply provide them "clean pipes" all the time and take care of DDoS attacks upstream before they ever get to them.

Unfortunately, the resources (equipment and personnel) necessary to clean Internet connections all the time are very expensive and come with several downsides. Luckily, progressive DDoS mitigation providers understand that traditional "always-on" mitigation solutions are seldom in the customer's best interest and a hybrid approach is more desirable.

Traditional "always-on" mitigation solutions were developed for companies with mission critical operations or for those who have large penalties associated with their services being unavailable for even a few minutes, as is the case for many financial institutions. Just a few years ago, the only option for companies looking for "always-on" protection was to buy expensive, dedicated, purpose-built perimeter defense mitigation appliances for every ingress point into their network. For these companies, that also meant hiring dedicated, highly compensated specialists to operate the equipment 24/365 as well as maintaining excess Internet circuit capacity to absorb any attacks.

As time went on, it became clear to companies that chose this path that no single manufacturer of purpose-built mitigation appliances was good at detecting and mitigating all types of attacks. The variety of things companies were connecting to the Internet was rapidly increasing (e.g., email, VoIP, video, file shares, portals, etc.) and no matter how much excess Internet circuit capacity they purchased, the attackers could always outsize them with a larger attack.

As a result, many purchasers of traditional "always-on" DDoS mitigation services moved to specialized mitigation service providers with multi-million dollar cloud-based scrubbing nodes that protected groups of customers with multiple layers of purpose-built mitigation appliances, had dedicated staff which fought attacks 24/365, and had massive connections directly tied into the core of the internet.

The problem was this did not alleviate customers' desire to receive an "always-on" service and many cloud- based DDoS mitigation providers reluctantly agreed to provide the service. Unfortunately these providers seldom took the time to educate customers on the downsides of this approach. So, before you consider buying this traditional "always-on" cloud based mitigation service, here are some important things to consider:

So the question becomes, if you are still a customer who values an "always-on" solution what should you do?

The best answer is to combine dedicated, locally-deployed, fully-managed mitigation appliances to detect and mitigate initial attacks, with a cloud-based mitigation service to which traffic can be moved when the size or complexity of an attack warrants. This is known as a "hybrid always-on" DDoS mitigation solution.

The advantages of this are getting an always-on solution managed by dedicated specialist who can easily swing traffic to a more sophisticated and larger global network of scrubbing nodes as attacks warrant without the exposure to the risks of a shared platform. The disadvantage is cost. This solution is often beyond the budget of smaller customers.

Alternatively, if you are an enterprise who is still very sensitive to downtime, but does not have the budget for a true hybrid solution, your best option is local traffic analysis combined with a pre-configured subscription to a cloud-based mitigation platform from the same provider. The advantages of this solution are early detection and quick traffic routing, which will shorten the impact of attacks --without the exposure to the risks of a shared platform.

In the end, it comes down to budget versus acceptable down time, but in either case traditional always-on DDoS mitigation solutions are no longer the right answer.

By Rick Rumbarger, Technology Executive

Related topics: Cyberattack, Cybersecurity, DDoS Attack