Choosing the Right DDoS Solution – Part II: On-Demand Cloud Service
This blog series explores the various options for DDoS protection and help organizations choose the optimal solution for themselves. The first part of this series covered the premise-based DDoS mitigation appliance. This installment will provide an overview of on-demand cloud-based solutions. Subsequent chapters will also cover always-on and hybrid solutions.
Advantages of moving to the cloud
There are numerous advantages for moving to the cloud compared to deploying a standalone hardware device:
- Protecting cloud-based applications: Applications that are hosted in the cloud cannot be protected by premise-based equipment, and therefore require cloud-based protection.
- Larger capacity: As volumetric DDoS attacks become increasingly bigger, many attacks can easily surpass the capacity of typical enterprise-grade DDoS mitigation appliances. In such cases, a cloud service will be able to provide backup capacity that can absorb these attacks.
- Lower management: Using a cloud-service frequently requires less management overhead and staff than a premise-based device.
- Lower cost: Whereas DDoS mitigation appliances require large upfront capital costs (CAPEX), cloud-based DDoS mitigation services tend to be lower cost, and can be paid for in an on-going subscription model. This allows the customer to expand (or contract) their service based on their needs. Moreover, such expenditures are usually classified as operating expenses (OPEX), which for many companies are easier to allocate.
- However, it should be noted that the convenience of the cloud is tapered by the lower level of control, as well as potential conflict with regulatory requirements that may limit the organization’s ability to migrate to the cloud.
On-Demand: DDoS protection when you need it
The first model of cloud-based DDoS protection is the On-Demand model. Under an on-demand model, traffic flows normally directly to the host in peacetime (i.e., when not under attack). However, once a DDoS attack is identified, traffic is re-routed to the cloud DDoS mitigation service, which scrubs the attack traffic and passes only clean traffic to the origin server. As its name implies, this type of protection is activated – on-demand – only in times of need.
Advantages and drawbacks:
- No latency in peacetime: One of the big advantages of an on-demand service is that there is no latency during ‘peacetime’ when you are not under attack. Traffic is diverted only during times of attack, for the attack duration.
- Lower cost: On-demand services tend to be cheaper than purchasing a dedicated DDoS mitigation appliance, as well as always-on cloud services. This allows for effective protection for customers who don’t have a large budget.
- Simplicity: On-demand cloud-based services are simple to maintain and require no management during normal times.
However, there are certain drawbacks to the on-demand model:
- Detection time: Perhaps the biggest drawback of an on-demand service is that it does not provide protection 100% of the time. Most on-demand services detect DDoS attacks based on volumetric traffic thresholds. Protection will be activated only once a certain traffic threshold is reached, which may take a few minutes to accumulate data and analyze. During this time the server might be exposed.
- Diversion time: After diversion is initiated, it may take some more time until diversion is complete. Diversion time consists of two factors: the time it takes to initiate the diversion to begin with, and the time it takes for diversion to propagate through BGP or DNS tables. While diversion time can be minimized using automatic or programmatic (API-based) diversion techniques, propagation time is usually outside of the provider’s direct control.
- Latency during diversion: Once traffic has been diverted, all requests to the origin server flow through the network of the cloud DDoS mitigation provider, which may add some latency to transactions. The amount of latency can depend on location of the scrubbing center, distance from the origin server, and the quality of connectivity. However, this latency continues only while diversion is taking place, and returns to normal once diversion is over.
Like purchasing a premise-based device (as well as the always-on and hybrid models, which will be covered next), the choice of whether or not to use an on-demand protection model depends on the organization’s particular use case and needs:
- Latency: Using an on-demand service does not incur additional latency in peacetime, so for latency-sensitive applications, an on-demand service might be effective.
- Frequency of attack: How frequently are you attacked? If you are only infrequently attacked (or not at all), then an on-demand service might be a cost-effective solution to protect you in a rainy day. However, if your server comes under constant attack, then it is probably not very effective to be constantly diverting traffic, and an always-on or hybrid service might be better.
- Mission-critical applications: Is your application mission-critical? On-demand services usually take a few minutes for the detection and diversion steps, during which time the server remains exposed. If you can absorb this exposure without causing major harm, then an on-demand service will be fine. However, if you cannot afford even one moment of downtime, then perhaps an always-on or hybrid solution would be better.
Who Is It Best For?
Considering the relative merits and drawbacks of the cloud on-demand DDoS protection model, there are a several types of customers (or applications) for whom this model makes sense:
- Infrequently attacked: Companies who are not frequently attacked and do not need constant coverage.
- Latency sensitive: Applications that are very sensitive to latency and therefore an always-on solution will not be suitable.
- Price sensitive: Organizations that do not have a large budget to spend on DDoS protection and wish to have cost-effective protection.
However, similarly, there are certain organizations and application types for whom this solution is less suited:
- Constantly attacked: Organizations or applications that constantly come under attack, resulting in traffic being constantly diverted. In those cases, an always-on or a hybrid solution will be probably be more suitable.
- Mission-critical applications: Mission-critical applications must always be available and cannot afford any downtime at all. Since on-demand DDoS protection usually takes a few minutes to detect and divert, this may result in short interruptions to availability. If this is a major issue, then perhaps an always-on or hybrid solution will be better.
The on-demand cloud DDoS protection model is a cost-effective solution for organizations who do not require constant protection. For customers who do require such constant protection, there are cloud always-on and hybrid solutions, which do offer this type of protection. The next installments of this series will focus on these alternatives, and who they are best for.