Your Checklist for the Best “out-of-path” (OOP) DDoS Solution

In today’s world, data breaches and cyber-attacks are becoming more and more frequent, which makes it essential to choose the one DDoS solution that is right for you. If you are a service provider or a large enterprise that provides services to tenants or to other departments in your organization, you will likely want to opt-in for an “out-of-path” (OOP) DDoS deployment model.

In this blog, we will provide a few guiding rules that will help you select the most suitable OOP DDoS solution for your organization.

Let’s first understand the difference between OOP and Inline deployments

Inline deployments are when the DDoS appliance (software or hardware) is connected directly to the main pipe through which the traffic flows. This means that every packet coming into the organization goes through the DDoS appliance. The advantage of an inline deployment is that there is not a single traffic packet that avoids your DDoS appliance. This allows the DDoS appliance to create super accurate statistics using advanced algorithms, all leading to accurate detection of DDoS attacks. Some of the disadvantages related to inline deployments are cost and the potential failure of the network in case the DDoS appliance is down, which prevents any traffic from flowing through it. If your organization deploys tens or even hundreds of routers, you will need to attach a DDoS appliance to each router, which could lead to an expensive deployment.

Out-of-path (OOP) deployments typically rely on small software components that act as DDoS detectors and are “attached” to each of your organization’s routers, pulling NetFlow- and FlowSpec-related statistics. Now, the DDoS mitigation device(s) are not connected to each router but sit “outside“ the main traffic pipe (hence the name “out-of-path) waiting to be activated. To complete the deployment — there is a 3^rd component — an overarching management entity, which can be considered the “brains” of the solution, performs orchestration, automation and traffic diversion if an attack takes place. Once a detector realizes that a potential DDoS attack takes place, it notifies the management entity. This results in triggering a BGP diversion of the traffic from its standard path to one of the DDoS mitigation devices (still sitting “idle”), which mitigates the attack. Once the mitigation device realizes that the attack has ended, the management entity is notified and promptly performs a re-diversion of the traffic back to its original path. The advantages of an OOP deployment are mainly in:

• Cost-effectiveness (typically fewer DDoS mitigation appliances required), and
• No influence on a network outage because no appliances are located inline.

Need Help Choosing The Most Suitable OOP DDoS Solution? Make Sure and Keep These Features In Mind

1. Integration with a variety of detection modules: As discussed above, an OOP solution typically relies on a software component that is communicating with the router and pulling NetFlow- and FlowSpec-based statistics. There are more than a few NetFlow- and FlowSpec-based detection components out there. Some, but not all, come specifically from DDoS vendors. It is important that the OOP DDoS solution you choose integrates with as many detectors out there as possible, or with the specific detector of your choice. You’ll want the most flexibility possible to tune the OOP DDoS solution to your liking and needs. Radware’s OOP DDoS solution is already integrated with all of the major detectors out there, including  NOKIA Deepfield, FNM FlowMon, GenieNetworks, Kentik, and more.
2. Security operation visibility and UX (user experience): A critical component of a DDoS solution (OOP or inline) is the security operation UI (user interface) and UX. Operating a DDoS security solution must be simple to use, intuitive to understand and, while providing an abundance of information, still be very much focused on what data is relevant for the attack and what the SOC operator needs to do in order to mitigate the attack swiftly. Radware’s solution introduces the state-of-the-art SecOps concept for security operations and monitoring, which provides simplicity, intuitiveness and holism, all encapsulated in a 21st-century UI that is second to none.
3. Availability of automation: A good OOP DDoS solution should provide strong automation capabilities that allow an organization to tie together detection, mitigation, diversion, reporting and re-diversion (once an attack is over). The advantages of a solid automation mechanism are clear and undeniable — reduction in the time to detect and mitigate, resiliency to errors (typically caused by human intervention) and a robust infrastructure that allows for the creation of cross-organization DDoS policies that can be realigned over time. Radware’s DDoS solution offers extensive automation capabilities.
4. Mitigation device deployment flexibility: A key capability to keep in mind when selecting an OOP DDoS solution is the flexibility needed when placing the mitigating device(s) as part of the overall solution. It is true that for the most part in OOP solutions, mitigating devices are located outside the main traffic pipe (out-of-path). However, in some cases the ability to place the mitigating device in TAP (aka TAP port) allows it to receive traffic samples, which can greatly improve the detection capabilities and, as a result, improve the overall efficiency of the DDoS solution. Radware’s OOP DDoS solution works with mitigation appliances that are either fully OOP, in TAP mode or, if needed, in mixed environments — some mitigation devices are located OOP, some in TAP mode and others inline.
5. Integration with cloud services: The integration of a DDoS OOP solution with cloud services allows service providers and the like to create a more cost-effective, overall solution by splitting the responsibility between on-premises, self-owned equipment and 3^rd party cloud (SaaS) services. These typical “hybrid” solutions can allow the service provider’s own equipment to handle attacks up to a certain volume. This is also cost-effective for the service provider; attacks exceeding pre-determined volumes will be diverted to a 3^rd party SaaS cloud provider. Thus, it is very important to understand if your potential DDoS OOP vendor also offers cloud (SaaS) services. Radware offers extensive cloud services that encompass DDoS, WAF, API protection and bot management services.

Remember, You Need Both Cost-Effectiveness and Efficiency

When choosing an OOP DDoS security solution, it’s important to focus on key features and capabilities that will ensure you have the most cost-effective and efficient solution. Keeping these features top-of-mind during the vetting process will help you select the right OOP DDoS Security Solution for your organization — integration with many detectors, automation, a superb UX for security operations and integration with cloud Services.

Go HERE to learn about Radware’s DDoS Protection Solutions, including OOP DDoS offering. And if you’d like to speak with a Radware cybersecurity professional, click HERE. They would love to hear from you.

To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.