Simply put, the days when firewalls and a large enough pipe to the internet were enough to protect your network have long since passed. Any organization or website is a potential target, and with high odds of a given attack flooding homegrown defense tactics, most companies are moving their mitigation tools offsite. The cost of downtime – upwards of $9,000 per hour for small businesses and $690,000 for large companies – are just too great to risk going it alone.
In a marketplace with countless solutions and several models for mitigation, what’s the best way to approach the growing DDoS threat? That’s the single most frequent question I receive from customers when discussing cybersecurity.
There are two good options, in my opinion:
- Subscribe to a cloud-based DDoS mitigation service, in which malicious traffic is scrubbed before good traffic is rerouted back to the client’s data center.
- Utilize DDoS mitigation appliances at a managed hosting provider’s data center.
Each approach will get the job done, but depending on the circumstances, preferences and budgets of individual organizations, there are some differences worth noting.
Cloud DDoS protection is a fantastic option for companies who want to maintain their on-premise data center, but aren’t able to deploy an adequate mitigation solution.
The primary advantage with cloud-based protection is the sheer scale of mitigation capacity. Because traffic can easily be diverted through scrubbing centers around the world, organizations can withstand attacks in the Terabits per second.
Premium, always-on cloud protection services, which route all traffic through cloud POPs, are effective and hands-off solutions, but can be cost prohibitive for many organizations. Alternatively, on-demand cloud services, which only activate when a volumetric attack is identified, are more affordable but sacrifice real-time detection. The latter solution is typically not optimal for application-level DDoS attacks.
In all cases with cloud protection, there will be some degree of latency at play — especially compared to solutions that reside at the perimeter of a network. While Radware’s Always-On Cloud DDoS protection excels at limiting latency, be aware that other cloud-based protection solutions on the market will require some level of human intervention that can limit the effectiveness of attack mitigation and add to existing network latency.
Provider-managed DDoS mitigation services are ideal for companies who are planning on or are already hosting web servers and applications off-site.
First off, latency is not a concern in this option, because the mitigation device sits at the network perimeter, adjacent to customers’ servers.
Because the mitigation tools used at managed hosting providers are based on dedicated hardware platforms, the amount of bandwidth customers are guaranteed during an attack doesn’t approach the multi-terabit level offered by the cloud.
They do, however, provide good value and coverage for the price.
For example, DDoS protection offered by my company, managed hosting provider SingleHop, follows very much the same model as any insurance policy. We partner with Radware to make this possible. The plan’s “premium” grants customers access to our data centers’ powerful Radware DefensePro mitigation devices should they ever need it. DefensePro DDoS prevention device detects attacks in-real time and mitigates them without prohibiting legitimate traffic.
As the provider, we’re able to make these premiums economical for customers because we’re able to plan for the maximum capacity needed to filter out illicit traffic during a DDoS attack at any given time, knowing that all of our customers won’t need access to it at once. This cost spreading assures DDoS attack prevention and protection in the vast majority of DDoS situations for a monthly cost that is well within reach for companies with limited IT and security budgets.
There’s one other benefit of using Radware-powered DDoS through a hosting provider: Access to network operations engineers who monitor the network 24/7 and manage all attacks. It’s one less function company IT teams have to worry about, which means they can redirect their IT efforts in other productive areas.
To recap, both cloud-based and provider-managed DDoS protection services are huge upgrades over most homegrown or on-premise strategies. The biggest factors in deciding one over the other will be: where the organization hosts, the size of the organization’s cybersecurity budget, and the organization’s sensitivity to latency.
Fortunately, if you want the benefits of both options, Radware offers highly efficient hybrid protection solutions that allow providers like SingleHop, or companies that manage on-premise data centers, to utilize the cloud for extended coverage whenever necessary.
Jordan Jacobs oversees SingleHop’s product life cycle through all phases, from conceptualization to market. Jordan has more than a decade of business strategy and product development experience in cloud computing, hosting, and managed services.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.