Over the past 20 years, I’ve had the opportunity to work with, help architect, stand up, and scale dozens of DDoS mitigation services around the world. I’ve also been responsible for one of the most prominent cloud-based mitigation services in the industry as well. This provides me with a unique perspective on how many of these services compare and what situations are more appropriate for what type of service. I recently did a webinar comparing, contrasting, and outlining the 9 areas where cloud-based DDoS mitigation services are advantageous over ISP-based DDoS services. This article provides a summary of the points that I covered in the webinar which can be seen in its entirety here.
ISP versus cloud-based mitigation services.
An ISP-based DDoS protection service is one that is provided by the first-mile ISP that connects a data center customer to the internet. Some or all the customer’s traffic is already going through the ISP so the ISP can detect an attack in that traffic and mitigate it locally, inside the ISP, before delivering the traffic to the customer. This is often termed a “clean pipes” service because the ISP typically sells to the customer by the circuit (AKA “pipes”) they are delivering.
A cloud-based DDoS mitigation service is delivered by a provider that is connected to various places on the internet upstream of the data center customer’s ISPs, premises, or other cloud providers. It is considered a “cloud” because it is on the internet and not directly connected to the customer. This should not be confused with Cloud-based services delivered by Cloud infrastructure providers such as AWS, Microsoft Azure, or Google Cloud. A cloud-based DDoS mitigation service uses either the Border Gateway Protocol (BGP), the routing protocol of the internet, or the Domain Name System (DNS), the telephone directory of the internet, to divert traffic to their cloud mitigation centers. Once the traffic arrives on their infrastructure, the mitigation service cleans or “scrubs” the malicious attack traffic and returns the clean traffic to the customer.
ISP-based DDoS services can be very effective, and there are some situations where it would be advantageous to adopt these services versus a cloud-based service. For example, if a company has a single ISP that they already work with and that ISP offers a DDoS mitigation service, it can make a lot of sense to use that ISP for DDoS protection as well. The ISP can provide the service more cost-effectively in most cases, is already carrying the company’s traffic, and can act upon that traffic very surgically by only mitigating the traffic destinations that are under attack. The company may also already have established operational processes with their ISP that can be leveraged for DDoS. In addition, if the company operates outside of the United States, local ISPs are usually able to provide services in the local language.
Advantages of cloud-based DDoS mitigation.
For companies that have a larger footprint, operate globally, use multiple ISPs, employ workloads in Cloud providers, and/or use CDN services, cloud-based DDoS mitigation is more often the better choice. There are nine distinct advantages that cloud-based mitigation providers have over ISPs in these situations:
1) Ability to protect assets regardless of where they are deployed. A unique aspect of a cloud-based DDoS mitigation service is the fact that it can stand in front of a customer’s applications and infrastructure regardless of what the customer has deployed. With a combination of BGP and DNS-based diversion and load balancing available on the back of DNS proxies, a cloud-based DDoS mitigation service can provide protection to customers on any infrastructure: self-hosted datacenter, in a Cloud provider, using a multi-cloud deployment through a CDN, using multiple CDNs, or any combination of these. Regardless of the destination, traffic will go through the same mitigation network with the same monitoring, protection, Security Operations Center (SOC), and reporting. ISP-based DDoS mitigation services are limited to only protecting traffic carried on the circuits that they offer the customer.
2) Carrier and CDN agnostic. Companies that use their ISP or a CDN for DDoS protection and standardize on that service lock themselves into that provider moving forward as it becomes much harder to replace or augment their services while trying to maintain similar protections against DDoS. Cloud-based DDoS mitigation services are agnostic to first-mile carriers. This gives a customer flexibility: they can replace their ISP or CDN provider or add new providers, without changing anything operationally for their DDoS defense.
3) Mitigation Capacity. How big is big enough? In the world of DDoS, you must be big to eliminate the risk of getting over-run on mitigation capacity. Thanks to millions of compromised IoT devices, high-capacity internet connectivity everywhere, and hijacked cloud-based servers, attackers can launch huge attacks when they want to. Vercara routinely sees attacks between 500Gbps and 1Tbps and we’ve mitigated attacks as high as 1.2 Tbps. Having the capacity to withstand those levels of attack is necessary. Most ISPs purchase mitigation equipment commercially and it is very expensive so they are limited in how much they can deploy based on their budgets and ROI calculations. ISPs are also limited by the size of their connections to other ISPs: it doesn’t make sense to have 100Gbps of mitigation capacity if your peering is only 200Gbps. This can vary greatly as larger ISPs typically are able to buy and use a lot more capacity than smaller regional ISPs. Cloud-based DDoS mitigation providers, on the other hand, will usually have some of their own technology for mitigation and/or have tight commercial relationships with mitigation equipment providers that allow them to deploy to a much larger scale.
4) Network footprint. Where you are is important when you are the network that stands between a customer’s clients and their applications. To provide the optimal, low-latency user experience, it’s necessary to offer services close to the user and datacenter hosting the application. To be effective in the face of a large attack without the risk of a cascade failure, each of those locations should have sufficient capacity to withstand most of the attack traffic by themselves. ISPs tend to operate in specific geographies and are forced to spread their mitigation capacity across their locations for coverage. Cloud-based DDoS mitigation services typically have global footprints and higher-capacity nodes. This global presence also isolates attack traffic to the region where it originated.
5) Expertise and Focus. A close friend of mine had to have open heart surgery a couple of years ago. He was nervous, as can be expected when he went to see his heart surgeon at Mass General Hospital. The doctor walked into the room with an air of confidence and told him, “I know that you are probably scared about what is to come, but I can assure you that you are in good hands. I’ve done 300 of these operations in the past year, and I’ve got 3 more later today. I’ve got you.” He walked out of the doctor’s office feeling much better, the operation was a success, and two years later, he’s still doing well. Expertise matters. Experience matters. Focus matters. He may or may not have had the same success if he had gone to a generalist doctor or even a general cardiologist for the operation, but he cut his risk considerably by going to the best. The same is true for DDoS mitigation. ISPs’ primary business is to deliver connectivity to companies and consumers. DDoS is a complementary service to connectivity that is part of a large portfolio of offerings. Cloud-based DDoS mitigation service providers typically offer a smaller set of specific services that they are very good at delivering.
6) Flexibility of Deployment. Larger companies that I’ve worked with always have some uniqueness to their footprint, application environment, tools, or operational practices. Given this, the customer should not have to adapt to a cookie-cutter service with rigid practices but rather use a service that best suits their environment. ISPs are highly regulated companies that offer a wide variety of services, so they do not generally have the luxury of being particularly flexible. Cloud-based DDoS mitigation providers have the connectivity and integration capabilities to provide a much more flexible set of options to maximize customer value.
7) Customer service. This is an extension of expertise. ISPs typically have some very strong DDoS experts, but they can generally be found in level 3 and 4 escalation teams. Customers must go through layers of generalist level 1 and 2 support personnel before getting to someone with the appropriate expertise. Cloud-based DDoS mitigation providers usually have 24 x 7 Security Operations Center (SOC) teams that are primarily focused on DDoS. A DDoS expert answers the phone when you call; you don’t have to go through organizational layers and delays to get to them.
8) SLAs. This one comes back to focus. ISPs offer DDoS as one of many services in their portfolio so the teams supporting these services develop operational practices that are more general in nature. This is reflected in the SLAs that they can offer. Cloud-based DDoS mitigation providers are more focused and specialized, so they can offer more aggressive SLAs.
9) Total Cost of Ownership (TCO). For customers that have a broader footprint and have multiple places where their assets are deployed, cloud-based DDoS mitigation providers are in a unique position to protect it all under a single service at a reasonable price. ISP-based services are usually sold on a per-circuit basis. If the organization expands, its costs go up. If they use multiple ISPs, the company has to contract multiple sets of service. If the company has a service in a Cloud workload, it will need to get a separate mitigation service from the Cloud vendor or CDN. It takes more staff to manage these disparate mitigation services. Cost and risk can go up significantly as a result: the more complex the online presence, the exponentially more costly it gets to protect it. Cloud-based DDoS mitigation services are typically sized based on the amount of clean or normal traffic a customer may see, so this will not increase a lot even as the organization expands or adjusts its footprint. This creates a much lower TCO over the long run.
Moving into the future with confidence.
DDoS attacks continue to plague the industry, with motivated attackers, expanding botnets that are able to carry out very large attacks, and increasing sophistication of attacks. The costs that organizations incur as a result of attacks also continue to grow. It is, therefore, important for defenders to regularly review their defense capabilities and ensure that they are protecting all of their assets with current best practice capabilities and have the tightest integration into their environment.
In many cases, a cloud-based DDoS mitigation service such as Vercara’s UltraDDoS Protect service offers many advantages over ISP providers, including:
- A 15Tbps network purpose-built for DDoS mitigation with 16 global locations.
- Carrier, application, and deployment model agnostic.
- A dedicated SOC of DDoS experts available 24×7.
- Many flexible options for deployment, integration and automation
- Aggressive SLAs: 0-second edge mitigation SLA, 30-second auto-mitigation SLAs, SLAs around provisioning, and aggressive mitigation effectiveness SLAs.
Ready to learn how a cloud-based DDoS mitigation service can protect your organization? Visit our solution page to learn more!