There are many different forms of DDoS protection; unfortunately it is not a one size fits all service, but an a la carte menu of options that requires mid-market service providers to select the optimal solution that fit their needs, threat level and budget.
Typically, on-premise DDoS appliances have been leveraged by service providers because of their ability to provide services to end customers using their data centers. On-premise DDoS appliances provide low lag times and offer maximum control, while at the same time allowing industry regulations and standards to be met.
As the scale of volumetric attacks has outpaced the capacity of on-premise DDoS appliances, cloud-based mitigation services have emerged to provide protection against these volumetric assaults by providing increased capacity to absorb these attacks. Using a cloud service frequently requires less management overhead and staff than a premise-based device.
Whereas DDoS mitigation appliances require large upfront capital costs (capex), cloud-based DDoS mitigation services tend to be lower cost and can be purchased as an ongoing subscription model. Moreover, such expenditures are usually classified as operating expenses (opex), which for many mid-market organizations, are easier to allocate.
Hybrid protection provides both low latency and uninterrupted protection in addition to the high capacity required to mitigate large-scale volumetric DDoS attacks. This is best for organizations seeking data center protection as well as customers running mission critical and latency-sensitive applications/services
For mid-market service providers evaluating DDoS mitigation vendors, cloud-based DDoS services are a perfect starting point. Here are three key capabilities mid-market service providers should consider when evaluating cloud DDoS protection services:
- Increased Capacity and Unlimited Attack Protection
As volumetric DDoS attacks become bigger, they can surpass the capacity of DDoS mitigation appliances, but a cloud service will be able to provide the capacity to absorb these attacks. Any provider should offer a pricing model that is based on the amount of diverted traffic and protection against unlimited attack bandwidth.
2. Granular Service-Level Agreements
Service-level agreements are the contractual guarantee outlining what your DDoS mitigation provider will deliver and their obligation to remedy if they do not meet those guarantees. When an attack is detected, cloud DDoS protection notifies the customer of an attack or automatically diverts traffic.
Ensure any DDoS service agreement includes detailed commitments for time to mitigate, time to detect, time to alert, time to divert, consistency of mitigation, and service availability.
3. Advanced Zero-Day Protection
Identify services that leverage behavioral-based detection. Machine-learning algorithms protect against zero-day threats, network-layer (L3-4) and application-layer (L7) attacks, and encrypted DDoS floods. They also improve the ability to understand what constitutes legitimate behavior, protecting accuracy, and minimizing false positives.
Mid-market service providers need to identify what DDoS deployment option is best for them and their customers. The right mitigation system will provide a point of entry that can be tailored to each service provider’s needs and customers. Ideally, you want to leave your customers with a resilient network, and up to date compliance with cyber regulations, and the ability to protect their infrastructure from volumetric DDoS attacks.