DDoS (distributed denial of service) attacks are a serious and persistent threat to every network. This series highlights the six widely-accepted technologies and architectures that you can employ to protect your assets.
These are:
- Overprovisioning
- DDoS Mitigation Appliances
- ISP Scrubbers
- Third-Party Scrubbing Services
- Cloud Web Application Firewall
- Remotely Triggered Black Hole
For more detailed information, read our whitepaper, Building Better DDoS Mitigation.
One of the first steps that organizations take when dealing with the threat of DDoS is to increase the resiliency of their datacenter. There are two proven and frequently-employed DDoS mitigation technologies available for on-premises protection. They can be effective against small and even medium-sized attacks, but have limitations in capacity for larger attacks.
1. Overprovisioning
This solution expands network capacity by provisioning critical network resources (web and email hosting, servers, network connections) at 40-60% of normal usage requirements, instead of typical provisioning levels of around 80% utilization.
It is simple to implement without specialized security expertise, and makes use of DDoS mitigation capabilities built into network equipment such as routers, firewalls, and intrusion detection systems (IDS). It does require many additional network components to be overprovisioned as well, including backend databases, web and email servers, application servers, firewalls, network switches, and so on.
Organizations that also use cloud resources can leverage cloud autoscaling capabilities to boost the mitigation capacity significantly and almost instantly, allowing an overprovisioned infrastructure to survive larger attacks. However, autoscaling can trigger much higher usage levels that drive up costs.
The biggest drawback of this strategy is its severely limited capacity, particularly when DDoS attacks are growing in size and intensity. But it is effective against small attacks which are very common.
2. DDoS Mitigation Appliances
This technology uses appliances deployed in the datacenter that are specifically designed to mitigate DDoS attacks. They are essentially high-capacity IDS machines that can detect and drop DDoS traffic, and they do this very well.
These appliances work by detecting telltale DDoS patterns in traffic and dropping it almost instantaneously. They should be located upstream of firewalls and routers in the datacenter. Multiple appliances can be combined to expand mitigation capacity, creating what amounts to an in-house DDoS scrubbing center.
Each data center requires its own appliance(s), so costs can add up for larger organizations. Moreover, the appliances must periodically be updated or replaced, creating ongoing capital expenses. Finally, implementing this technology does require some IT engineering involvement, and ideally some staff expertise in DDoS mitigation to monitor and respond to any attacks.
For companies that can meet these requirements, mitigation appliances can successfully handle the numerous small DDoS attacks that organizations receive, and a multiple-appliance implementation can mitigate even moderate attacks. However, any appliance solution is ultimately limited by the bandwidth available in the circuits from your ISPs. An attack exceeding that bandwidth will saturate your network before reaching the mitigation appliances, resulting in an outage.
DDoS mitigation appliances can also be deployed in an ISP or a third-party scrubbing center, upstream of the datacenter. My next post in this series will cover ISP scrubbing centers.
An effective DDoS strategy often involves multiple mitigation technologies. UltraDDoS Protect, our massively scaled DDoS solution, works effectively with other technologies to provide the highest level of protection.
We’d be happy to discuss your DDoS strategy and look for solutions that could strengthen your security posture. Contact us today for a consultative discussion of your strategy and options.