The advantages of out-of-path DDoS solutions for Service Providers

As DDoS (Distributed Denial of Service) attacks are becoming increasingly popular with attackers, the more imperative it becomes for organizations to protect themselves against these attacks. There are typically two methods of deploying a DDoS solution – Inline and out-of-path (OOP). OOP deployments are usually deployed on exceptionally large networks typical to Service Providers, as it allows optimization of protection elements across large and diverse networks.
This Blog will cover the out-of-path deployment method, and the advantages it brings to service providers and large enterprises.

Two Methods to Deploy DDoS Solutions – Inline and OOP

Inline deployments are when the DDoS appliance or appliances are deployed directly to the main pipe through which the traffic flows usually on the perimeter. This means that every packet flowing into the organization goes through that DDoS appliance. The advantage of an inline deployment is that there is not a single traffic packet that avoids your DDoS appliance. This allows the DDoS appliance to create super accurate behavioral statistics using advanced algorithms, all leading to accurate detection of DDoS attacks. The main drawback, especially relevant in very large service providers network with dozens of incoming pipes, is the direct and indirect cost associated with deploying appliances on each and every link. Additionally, inline deployment must protect against appliance failure with either highly available pairs or bypass, adding to the complexity and cost.

Out-of-path – OOP – deployment typically utilizes dedicated software components that serve as DDoS attack detectors and are linked to each of an organization’s routers, extracting relevant statistics like NetFlow and FlowSpec data. Unlike in-line deployments, the DDoS mitigation devices in OOP configurations are not directly connected to individual routers but are positioned “outside” the primary traffic flow, hence the term “out-of-path.” Instead, these mitigation devices remain inactive until an attack is detected by attack detectors. Completing this setup involves a third essential component—an overarching management system, acting as the central control hub. This management entity orchestrates, automates, and handles traffic redirection in case of a potential attack. When a DDoS detector identifies suspicious activity, it alerts the management system, which triggers a BGP (Border Gateway Protocol) diversion, rerouting traffic from its usual path to one of the idle DDoS mitigation devices to counter the attack. Once the mitigation device resolves the attack, it notifies the management system, which promptly restores traffic back to its original path.

oop ddos deployment

Deploying a DDoS solution as a service provider / large enterprise – the challenges

Traditionally, the most common deployment architecture for DDoS solutions would be an “Inline” deployment. It is simple, straight forward and potentially benefits the best detection and mitigation algorithms. However, for service providers and enterprises, there could be two potential drawbacks to “inline” deployment methodology.

Cost-effectiveness: an “inline” deployment means that the DDoS appliance (HW or SW) will be installed within the traffic pipe of a network / subnet. This means that for every Edge router that the organization deploys, a DDoS device will have to be deployed (very close to it – network speaking). While this methos still stays cost-effective for small-medium organizations (lower number of routers overall, lower Org. bandwidth overall), for large organizations, having tens and even hundreds of routers to protect, as well as tens or even hundreds of Gigabytes of traffic overall, an “inline” solution can be quite expensive and end up not cost-effective at all.

Risk of downing an entire network (subnet): given that the “inline” method requires the DDoS device to be placed inside of the main traffic pipe (in-line…) this means that in order to protect the pipe from complete shutdown, in case the DDoS appliance fails, one has to deploy the DDoS appliances in a highly-available manner (HA) or to add bypasses to the DDoS appliances. This, obviously, adds additional cost and complexity.

Overcoming cost and mission-criticality with out-of-path DDoS deployments

So, if you are a decision maker working for a service provider or a large organization and you find the “inline” deployment method indeed intrusive and/or not optimally cost-effective – do not despair as there is a solution for you too.
The optimal deployment method in this case is “out-of-path”. OOP deployment provides a solid solution for the two main challenges of the “inline” approach:

Risk of downing an entire network (subnet): as opposed to the “inline” method – OOP does not mandate the deployment of DDoS appliances inside of the main network pipe. As explained above, when deployed OOP, the DDoS appliances are in a scrubbing center, outside of the main network pipes. In peacetime, traffic does not flow through the DDoS appliances. Only if an attack is detected, a BGP diversion takes place and only then traffic starts flowing through one (or more) of the DDoS appliances. This means that if there is no attack – no mission-critical data flows through a DDoS appliance and, if the DDoS appliance fails, at least no mission-critical, business data is lost. Business continues as usual.

Cost-effectiveness: the heart of the OOP deployment architecture means that there is no need to deploy a DDoS appliance next to every Edge router that the organization owns. The DDoS appliances are deployed in a “scrubbing-center” and, if calculated BW planning is performed, this can lead the organization to purchase far fewer DDoS appliances, still able to cover for the entire organization’s traffic (BW), while keeping the overall DDoS solution cost less, or even far less, expensive.

Additional advantages of OOP Vs. inline deployments

Deploying DDoS in OOP comes with additional advantages over deploying in inline, especially for large service providers and organizations. One notable example is the ability to interface with and manage routers and router interfaces. When deployed in OOP, the DDoS solution interacts with the organization’s routers anyway to obtain NetFlow statistics as well as to provide FlowSpec commands to the routers. As such, an OOP DDoS solution could go further and introduce additional capabilities related to router management. One such capability is to monitor a router’s interfaces and understand if an interface is flooded with traffic, becoming saturated and then provide an alert to the NOC (Network Operations Center) or even go as far as automatically divert the traffic off the flooded interface onto another interface in the same router or in another router. Capabilities such as these are typically classified under “traffic shaping / planning” and are of immense value to service providers and large organizations. The Radware OOP DDoS solution does introduce such a capability

With that, we show that an out-of-path DDoS deployment architecture is typically the most optimal solution for service providers and large organizations as it mitigates two major challenges: cost-effectiveness and maintaining mission-critical business 24X7.

Up until a few years ago DDoS OOP deployments were considered by many as complex, due to the reliance of NetFlow and of the DDoS vendors engaging in BGP diversions in the service-provider’s network – something that service providers were always concerned about.

However, the past recent years have introduced substantial improvements to the NetFlow capabilities in DDoS detection. In addition, more service providers and large organizations have engaged in OOP deployments that proved to be very robust, consistent, and sustainable. This encouraged more service providers and large organizations to deploy DDoS in OOP to the point that it is now the de facto approach for such organizations.

Radware is a world-leading DDoS solutions provider with customers among the top-tiered service providers and the largest enterprises in the world. Radware’s DDoS out-of-path solutions are deployed with hundreds of customers and are field proven.

For information about Radware Out-of-Path solution, go to Infrastructure Protection For Service Providers Radware.

Dror Zelber

Dror Zelber is a 30-year veteran of the high-tech industry. His primary focus is on security, networking and mobility solutions. His holds a bachelor's degree in computer science and an MBA with a major in marketing.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center