Mixing and Matching your DDoS Mitigation Approach
Effective DDoS attack mitigation can be located on the cloud, on-premise, or a hybrid combination of the two. No matter the type you choose, get ready for an alphabet soup of acronyms - beyond Distributed Denial of Service, of course.
DDoS Mitigation Modes
DDoS mitigation solutions usually have two modes of operation:
- “Always-on”– Just as it sounds – The system is continuously looking for suspicious traffic and routes anything it suspects to be investigated further.
- “On-demand” – kicks in only when activated manually, either by some other defense component or by a person. Although it means an attack is already in progress, many organizations choose this option because they don’t trust their technology enough. They suspect that an “always-on” solution could trigger false positives and filter legitimate traffic.
Cloud-based Scrubbing Center DDoS Protection
The scrubbing center, the first line of defense against DDoS attacks, inspects and filters suspicious traffic either within a central location or spread across a distributed network of servers. This type of mitigation is best for volumetric attacks. As volumetric attacks only affect Layers 3 and 4, this type of protection usually has less protection against Layer 7 application attacks.
The other caveat - based on your SLA with your general cloud service provider, when your site is hit with a volumetric attack, you may be able to scale up to enough bandwidth that the attack is absorbed, and your site can continue operating as normal.
For low-and-slow attacks, more extensive mitigation strategies are required, such as Layer 7 challenges, monitoring visitor behavior, and blocking bots. These can be done on the cloud layer but require additional SLAs and resources.
Most scrubbing centers use the Border Gateway Protocol (BGP), which protects your entire network. It protects you against attackers targeting your direct IP or your DNS names. For example, you will be protected when the attacker is using either the name of your organization, such as bankingplusonline.com, and you’ll be protected if the attacker is using your numerical IP address such as 10.249.3.2 – assuming your mitigation system is working as expected.
Cloud-based Content Delivery Network (CDN) Protection
The Content Delivery Network (CDN) delivers your website’s content directly to your customers. CDN protection is Domain Name System-based (DNS) for HTTP/web services. As a source for mitigation, a CDN-focused DDoS mitigation system protects only a single server. It will only protect you against attacks using the name of your organization, such as www.bankingplusonline.com. If someone types in your IP address directly i.e. 10.249.3.2 – you aren’t protected, and your mitigation provider never even sees the attack.
Customer On-Premise (CPE) DDoS Protection
The most obvious solution is a dedicated DDoS protection device, combining hardware and software that protects your entire network from DDoS attacks across Layers 3, 4 and 7.
Behind the DDoS protection device are the load balancers, web application firewalls, and threat prevention systems. All these stateful devices in a network are not effective against DDoS attacks and will likely be the first to collapse if the DDoS attack isn't mitigated.
On-Premise DDoS protection is effective for attacks that do not exceed your network's pipeline bandwidth. Because DDoS attacks are consistently reaching higher bandwidths, companies are setting up a two-tiered DDoS mitigation system as a solution. The cloud scrubbing, as the first layer of defense, is designed to mitigate the large volumetric floods, and the onsite DDoS mitigation system manages Layer 7 mitigation as well as leakage from Layer 3 & 4 volumetric floods. The complexity of integration and management of hybrid systems may actually increase vulnerability as more points of failure are possible.
Determining the best solution requires analysis of your risk, “always-up” requirements, size of your company, and the potential losses if your network or website are down. No matter what system you choose, BaseLine DDoS testing is critical to ensure it works when you need it.