Choosing the Right DDoS Solution – Part IV: Hybrid Protection

This is the last part of the blog series exploring the various alternatives for protection against DDoS attacks, and how to choose the optimal solution for you. The first part of this series covered premise-based hardware solutions, the second part discussed on-demand cloud solutions, and the third part covered always-on cloud solutions. This final piece will explore hybrid DDoS solutions, which combine both hardware and cloud-based components.

Hybrid Protection: Enjoying the Best of Both Worlds

Whereas a premise-based solution relies strictly on a local hardware appliance, and on-demand and always-on solutions are purely cloud based, a hybrid model combines a local hardware appliance together with expandable capacity in case of a large volumetric attack.

During the normal course of business, traffic flows directly to the data center. The premise-based appliance will inspect for attack traffic, and block most attacks. However, if a large-scale attack is detected which may overwhelm the device (or even completely saturate the pipe), then traffic is diverted to a cloud scrubbing center. The scrubbing center will block attack traffic and send only clean traffic to the customer. Once the attack is over, traffic is diverted back to the device, who resumes normal function.

Hybrid DDoS protection allows organizations to enjoy the best of both worlds: the low latency and high-control of premise-based solutions together with the scalable capacity of cloud solutions.

[You might also like: The Cyber Threat Alliance – Stopping Attackers in their Tracks]

Advantages and Drawbacks:

Just like other deployment models, there are certain advantages and drawbacks to choosing a hybrid DDoS protection solution:

  • Best quality of protection: Hybrid protection is the recommended best practice by most security analysts, as it combines both low latency and high capacity for protection of mission-critical services.
  • Immediate detection: Since traffic flows through the local appliance at all times, attacks can be detected immediately by the appliance. This is an advantage particularly over cloud on-demand services, which usually have a detection and protection gap until diversion is initiated.
  • Flexible capacity: A key advantage to the hybrid model is the availability of flexible mitigation capacity in case of large-scale volumetric attacks. Such attacks can overwhelm standalone hardware appliances and even saturate the entire pipe going into the data center. Having backup cloud capacity allows customers to handle any attack, regardless of size.
  • Low latency: Hybrid solutions allow for low latency, as day-to-day protection is handled by on-prem appliances directly in the data center. Only in times of attack will traffic be diverted to the cloud. This is an advantage of cloud always-on solutions which usually add some latency to communications, even during peacetime.
  • Regulation: Companies in regulated industries such as finance or healthcare are frequently constrained in their ability to migrate services to the cloud. Therefore, a hybrid solution could be useful in providing on-prem location most of the time while still allowing for backup capacity in case of large-scale attacks.
  • Control: Having an on-prem device allows for greater control and configurability, especially for organizations with unique network topologies or specific needs.

However, the hybrid DDoS protection model also entails a number of drawbacks:

  • Management overhead: Having a premise-based solution usually incurs higher management overhead and staff requirements, as well as keeping premise-based and cloud-based defenses synchronized and aligned at all times.
  • Cost: Since a hybrid solution combines both a hardware appliance and cloud service, their combined cost usually tends to be higher than a strictly cloud service.


Like other models, the choice of whether or not to use hybrid protection depends on the organization’s particular use case and needs:

  • Threat Profile: What is the threat profile of your data center? If your data center is running mission-critical services which cannot afford to go down, then perhaps a hybrid solution is indeed the route to go.
  • Control: How much emphasis do you put on control and management? Some organizations put a high premium on control and configurability, so an on-prem appliance could suit them.
  • Regulated industry: Is the organization in a regulated industry? If so, what are the guidelines regarding migrating workloads to the cloud? A hybrid solution could be a good solution for regulated companies since they provide the security of on-prem equipment with the expandable scalability of the cloud.
  • Cost: What are the budget constraints and what is the available budget? Hybrid solutions tend to provide a higher quality of protection compared to standalone on-prem or cloud solutions, but this protection usually comes with a higher price tag.

[You might also like: Rethinking the Scrubbing Center]

Who Is It Best For?

Looking at the relative merits and drawbacks of the hybrid model, there are several types of customers (and use-cases) for who this model makes the most sense for:

  • Data center protection: Customers who have existing data centers and have many services running in those data centers which they need to protect.
  • Mission-critical applications: Mission critical applications which require both constant protection and cannot go down even for a short time.
  • Latency sensitive: Services which require fast (or real-time) responsiveness, and have low latency tolerance.
  • Regulated industries: Companies in regulated industries who are constrained in moving workloads to the cloud.

However, there are also certain use-cases in which a hybrid solution may not be best:

  • Cloud-hosted applications: Applications which are hosted on public clouds (such as AWS or Azure), and for whom there is no physical data center to place an appliance in. For such applications, a cloud-based solution is required.
  • Price sensitive: Organizations which don’t have much budget to allocate for such comprehensive solutions. For such organizations, an on-demand cloud solution will usually be the best option.

A Buffet, Not a Fixed Menu

As we explained in the opening segment of this blog series, DDoS protection is a buffet, not a fixed menu. There are many DDoS protection providers, who provide varying levels of protection and cost. Every model has its relative merits and disadvantages; there are many options, and it’s up to each customer to choose the optimal solution for their particular use-case.

Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.

Download Now

Eyal Arazi

Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Workload Protection Service. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center