On-premise or cloud? Rewriting the rules of DDoS defence

The dilemma facing many organisations when it comes to implementing an effective DDoS defence is whether to deploy on-premises DDoS protection or subscribe to a cloud-based provider. These decisions are not taken lightly, as the threat landscape is wide ranging and becoming increasingly sophisticated.

Organisations that have taken the steps toward outlining their DDoS defence strategy typically begin by looking to out-of-band defences and anti-DDoS scrubbing-lane approaches for re-routing traffic once an attack has been identified (most often after an outage or service degradation has been experienced).

This approach is a good first step for DDoS prevention, but it’s only the tip of the iceberg. The recommendation by industry analysts is to execute on a two-pronged approach – to include in-line, real time detection and attack mitigation as the primary means for DDoS defence, and cloud anti-DDoS for full pipe saturation attacks.

>See also:Is secure cloud the next step in the evolution of information security?

Partial saturation attacks are becoming more commonplace. These DDoS attacks are large (relatively speaking), but are only lasting for a short period of time, and they do not fully saturate the Internet link.

While these attacks can be quite devastating to unprotected downstream border defences, hosted customers or Internet facing services; there is certainly an ulterior motive, most often financial gain or to acquire sensitive customer data.

Additionally, these partial saturation events are not long enough in duration such that the attacks can be detected and re-routed quickly enough for cloud-based DDoS mitigation solutions to provide much, if any benefit.

When assessing the most appropriate strategy for DDoS defence, the solutions aren’t like-for-like comparisons; however there is a suggested approach to protect against the entire spectrum: hybrid on-premise and cloud DDoS mitigation.

Cloud anti-DDoS

DDoS protection, provisioned as a service, is most often utilised as an on-demand option for large-scale attacks. Massive volumetric attacks occur when more traffic than the total bandwidth of a network link is sent, which no amount of hardware resources will effectively combat.

Human intervention is critical to an on-demand defence approach – once detected an analyst must then decide to enable the transition to the cloud. A recent study from Corero found that nearly half of all participants cited customer complaints as their initial means of notification of a DDoS attack. The time of detection to the time of mitigation could range to upwards of one hour with this approach.

However, the majority of volumetric attacks are on the order of 30 minutes or less, but by the time your on-demand defences are engaged the damage is done.

With out-of-band cloud anti-DDoS, visibility and analysis begins only after the traffic has been re-routed to the scrubbing service, allowing for little, if any, insight into the attack, eliminating all analysis capabilities.

Some businesses that frequently experience these attacks subscribe to an always-on anti-DDoS cloud solution service. The costs associated with this approach are substantial. If frequent, massive volumetric DDoS attacks are the Achilles heel of an organisation, it’s hard to put a price on uninterrupted service availability.

Real-time defence

Purpose built DDoS defence solutions are deployed between the internet and the enterprise network. A first-line-of-defence approach prevents outages by inspecting traffic at line-rate and blocking attacks in real time while allowing approved traffic to flow uninterrupted.

On-premise, real-time defence enables complete and sophisticated visibility into DDoS security events when deployed at the network edge. Additionally, archived security event data will enable forensic analysis of past threats and compliance reporting of security activity, acting as a strong advantage against attackers when DDoS is utilised as a distraction.

Given its nature, precise enforcement of mitigation policies against attack traffic must be accomplished without incurring false positives, with line-rate performance and maximum security efficacy. On-premise technology is designed to handle volumetric network-based attacks, reflective and amplified spoof attacks, and application layer attacks.

Silver bullet

In 2014 the SANS Institute reported: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”

In addition, Akamai’s 2014 State of the Internet report shows a reduction in the number of customers reporting being targeted by DDoS attacks. Although interesting, this is perhaps not the complete view into the frequency of attacks. The Akamai solution is intended to defeat attacks after the traffic has been passed to their cloud services, which is effective. However, this doesn’t account for attacks that aren’t full pipe saturation events and may have gone undetected or didn’t last long enough to be redirected to the cloud. During the same time, a single, not unusual Corero customer experienced more discrete attacks than were measured across the entirety of the Akamai customer base.

The concept of on-demand cloud defence for a pipe saturation attack coupled with always on, on-premise defence provides protection against the whole spectrum. Businesses that engage with their on-demand DDoS mitigation provider can quickly initiate that service based on visibility in the event of a massive volumetric attack.

The main benefit of a hybrid approach is that the on-premises device heavily reduces the number of times an organisation switches over to the cloud – lowering cost and providing comprehensive and consistent defence.

>See also: How to secure data in the cloud

During the switchover, an on-premise solution would continue to provide the necessary protection for any threats not mitigated by the cloud. Continuous monitoring can show when an organisation can return to normal operation and collaborative communication and sharing of information between the user and provider enables comprehensive visibility, enhancing the overall security performance of the network.

The implementation of an always-on solution combined with on-demand cloud defence provides businesses with a means of safeguarding against the vast scope of DDoS attacks posed to their networks. With DDoS attacks now being delivered in various sizes and with differing intentions, ensuring that the appropriate prevention best practices are utilised correctly could well be what saves an organisation from falling victim to a major breach of information.


Sourced from Dave Larson, CTO at Corero Network Security

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach
DDoS Attack