2020 was a record-breaker for distributed denial of service (DDoS) attacks. During twelve turbulent months, we witnessed the largest DDoS attack known to date, a global ransom DDoS campaign against financial services, large-scale attacks on gaming services, and the COVID-19 crisis which was exploited by malicious actors.
Naturally, this rise in attack size and sophistication has brought about an increased interest in DDoS protection solutions, as organisations seek to protect themselves against this threat.
However, as businesses begin to weigh their options for DDoS protection, many quickly realise that DDoS protection can come in various formats, and they must consider which deployment type is best for them: on-demand cloud service, always-on cloud service, on-prem appliance, or hybrid protection?
The answer, in a nutshell, is that it all depends.
It's important to realise there is no such thing as the 'best' type of DDoS protection. Rather, different deployment options have different merits and drawbacks, and as a result, are best suited for other business use cases.
So it becomes a question not of 'what is the best type of DDoS protection', but of 'which deployment options are best suited for individual needs?'
Traditionally, DDoS protection relied on hardware appliances deployed at the customer's data centers. Hardware appliances frequently provided advanced protection, low latency, and granular control by network admins.
Yet its capacity was constrained by limits of the hardware appliance, or the traffic pipe leading into it. These limits made hardware appliances susceptible to large volumetric attacks which saturated the organisation's traffic pipe. In addition, they required additional management overhead by the organisation, large upfront investment (CAPEX) to purchase, and dedicated staff to operate them.
Thus standalone hardware appliances are most suited today either for large organisations or service providers creating their own mitigation scrubbing centres (usually with multiple such devices) or for organisations that are prevented by national or industry regulations from using cloud security services.
On-demand cloud service
Due to hardware appliances' capacity constraints, many organisations began looking to cloud-based scrubbing services for a solution. Compared to standalone hardware appliances, these services offer massive capacity, usually measured in terabits, as well as lower management overhead and more flexible pay-as-you-go, subscription-based (OPEX) costs.
However, cloud services are more limited in attacks they can protect against since they usually have visibility only to ingress traffic.
The first type of cloud-based DDoS protection is the on-demand service, activated only when an attack is detected. During peacetime, on a routine basis, traffic flows directly to the customer's network. Only when an attack is detected is traffic diverted to the cloud scrubbing centre, where traffic is 'scrubbed' for malicious traffic and only 'clean' traffic is sent back to the customer location.
The advantage of the on-demand approach is that since traffic flows directly to the customer's location, it does not add latency during peacetime. On-demand services usually have little operational overhead and do not require day-to-day management or maintenance. Usually, they are cheaper than other deployment types.
However, with an on-demand cloud service, attack detection is usually based only on volumetric detection (based on netflow traffic rates). Traffic diversion, once it takes place, requires a certain window of time (usually a few minutes) until diversion is complete. The customer will remain vulnerable during this 'diversion gap'.
On-demand protection is usually best for organisations that are attacked infrequently but want some form of 'insurance' in case of attack, with assets that are non-mission-critical and do not mind the 'diversion gap' window, as well as for cost-conscious organisations.
Always-on cloud service
An alternative to on-demand protection is an always-on cloud service. Under this model, traffic is continuously routed through a cloud scrubbing centre, where it is inspected for DDoS traffic.
This model eliminates the need for diversion when there is an attack while providing 24/7 protection and allows for more granular detection of attacks, including detection of non-volumetric attacks.
However, it is usually more expensive than an on-demand service, and may add some minor latency to customer communications.
As a result, it is best suited for organisations that frequently come under attack, and have applications that are not latency-sensitive.
Hybrid protection offers the best of both worlds, since it combines an on-premise appliance with a cloud service. This allows protected organisations to enjoy both the advanced capabilities of hardware appliances, along with the massive capacity of a cloud service.
As a result, customers can defend against both large and sophisticated attacks, as well as level multi-layered protection. If an attack can get around the cloud defences, it will be mitigated by the appliance. However, a hybrid solution is usually more expensive, since it combines both an appliance and a cloud service.
As a result, hybrid protection is usually best for large organisations with mission-critical applications which cannot afford any downtime, particularly in verticals such as banking, eCommerce, or SaaS.
Ultimately, there is no 'right' or 'wrong' when choosing a DDoS protection solution. Instead, it depends on an organisation's needs, constraints and threat profile. Consider which model makes the most sense for a specific organisation and don't be afraid to mix-and-match protection options for different assets, to create a solution that is tailored specifically to individual needs.