By now the dangers of a DDoS attack are broadly known. It’s not just the computer geeks that know what damage DDoS can do, it’s entered everyday speech as more and more people worry about the service outages caused by DDoS – all led by epic running news reports.
Businesses are right to be frightened, but what can a business do to defend itself from the damaging outages DDoS attacks cause? Two of the most popular techniques are often compared and contrasted, but we think one DDoS protection regime clearly stands out above the other. In this article we compare ISP-run clean pipes DDoS protection with a cloud-based DDoS protection layer and explain why one option is preferable in the majority of cases.
Explaining DDoS attacks
First, it is important to understand what a DDoS attack is. DDoS stands for distributed denial-of-service attack. Let’s look at the second half first: a denial-of-service attack is an attempt by a malicious actor to prevent access to a network or to an online service.
Denial-of-service attacks succeed because the attacker overwhelms the target service with electronic requests, disabling its ability to respond to real requests. As for the distributed part, this comes alongside the internet age – actors can now launch massively powerful denial-of-service attacks from a distributed range of sources.
Clean pipes: attempting to mitigate DDoS at the ISP level
The expression‘clean pipes’ refers to removing negative traffic from networks. As it becomes apparent that DDoS is becoming a survival issue for many businesses, internet service providers have offered to automatically scrub traffic as it makes its way along the internet pipes approaching web servers and the various machines that render online services.
Clean-pipes services are often sold as an optional extra to hosting contracts where the ISP would offer to filter all traffic via machines that evaluate the legitimacy of the traffic, blocking possibly dangerous traffic from reaching a web server and causing a service outage.
The issue is that clean pipe services are limited. Yes, many attack methods are crude and can be spotted by simply watching out for patterns of activities. However, clean pipe efforts cannot deal with the more complicated attacks. For example, a clean pipes attack will fail to thwart an attack where the attacker targets specific server vulnerabilities that can be exploited with low volumes of traffic.
Clean pipes can also struggle to prevent multi-vector attacks where DDoS sequentially or in parallel combine a TCP packet attack with a UDP packet attack, for example. Doing so can overwhelm a clean pipes defence mechanism. There’s another easy way to overwhelm a clean pipes defence mechanism: simply send so much traffic that the pipe gets blocked.
An attacker merely needs to overwhelm the ISP’s appliance to cause massive service disruption. An appliance that performs clean pipe functions can deal with 40Gbps in data and up to 10 or 20 million packets per second (Mpps). But recent attacks have been as big as 650Ggbps: a clean pipes strategy simply will not survive such an attack.
Effectively mitigate DDoS with a high-capacity cloud service.
Clean pipes was an effective strategy when attacks were simple, predictable and small in scale. But an alternative has emerged: using cloud-based DDoS protection where every request is first passed through a cloud-based inspection before it even enters your hosting environment.
Cloud-based DDoS is advantageous for several reasons. First, a DDoS attack cannot clog your internet pipes because the cloud-based provider of DDoS protection will intercept the attack. A good cloud DDoS service will have enough capacity to thwart massive attacks, with the leading providers offering up to 3Tbps (terabits per second) in protection capacity, several multiples the capacity that would be used up by even the largest attacks.
DDoS in the cloud is also more intelligent. Cloud DDoS providers analyze DDoS attacks for a living and are in tune with the latest criminal approaches, unlike a static device employed by an ISP. Even the most complex attacks can quickly be identified, and a cloud DDoS provider can automatically blacklist bad IP ranges that are identified before these get a chance to attempt attacks on other customers.
Furthermore, cloud-based DDoS can offer more visibility into the attack landscape. With a cloud DDoS provider standing between you and attackers you can get real-time reporting on attacks. You also get the type of service level agreement (SLA) that only a provider that is dedicated and knowledgeable about DDoS can supply – including uptime guarantees of up to 99.99999% courtesy of the best providers.
Don’t let DDoS attacks in at the gate
Yes, you can opt to filter against DDoS attacks once attackers have already penetrated a network by using a clean pipes approach, but there’s no guarantee it would be successful. Instead, deploy a cloud-based DDoS protection system from a vendor with the capacity and knowledge to stop DDoS attacks before it comes anywhere near your networks or the servers and services you rely on.