Why ‘Free’ DDoS Protection Can be the Most Expensive

The promises are enticing and the price is unbeatable; after all – who can beat the price of ‘free’ ?

As service availability becomes more and more of a customer concern, it has become common for internet service providers (ISPs), content distribution networks (CDNs) and public cloud providers to offer ‘DDoS protection’ for free, as part of their service bundle.

What those service providers don’t tell their customers, however, is that this free protection can end up being the most expensive, should you come under attack.

DDoS attacks frequently result in loss of availability, loss of customers, abandoned shopping carts and loss of reputation, so the upfront savings in protection can lead to much larger costs down the road.

Free (or low cost) DDoS protection is frequently offered by connectivity and computing providers, who bundle it together with their infrastructure services. This typically includes ISPs, CDNs, and public cloud infrastructure-as-a-service (IaaS) providers.

[You may also like: How Can You Protect What You Can’t See?]

However, there are several key areas in which ‘free’ DDoS protection frequently falls short of dedicated security services.

Inferior Protection

There is no way around it: when you buy something for free (or very cheap), you usually get what you pay for.

The main concern of infrastructure service providers is selling their core computing services such as internet connectivity, content distribution, or cloud computing. From their point of view, DDoS protection is a loss leader to enable higher sales. Consequently, they frequently provide only the simplest, most basic protections which cost them the least.

[You may also like: How to Recover from a DDoS Attack]

For example, one large public cloud provider has no qualms about declaring that their free tier provides protection only against the ‘most common, frequently occurring network and transport layer DDoS attacks’. Higher levels of protection, on the other hand, require high costs.

As a result, free DDoS protection tiers usually do not provide protection against advanced DDoS attacks such as burst attacks, dynamic IP attacks, multi-vector attacks, IoT botnet attacks (such as Mirai), DNS attacks, SSL attacks or other zero-day DDoS attacks. This leads to inferior protection, and leaves customers exposed should they face a sophisticated attacker.

Limited Coverage

Another key problem with ‘free’ DDoS protection services, apart from the level of security, is the limited coverage they offer.

Frequently, such services are limited to rudimentary network-layer (L3/4) DDoS attacks. However, they usually do not protect against application-layer (L7) DDoS attacks which target the applications themselves, such as HTTP/S DDoS floods, DNS attacks, low-and-slow attacks, and so on.

Application-layer DDoS protections, to the extent they are offered at all, will frequently require separate add-on costs (or the purchase of a WAF service), and are usually limited to simple rate-limiting of incoming HTTP/S connections.

Moreover, as the service providers’ main interest is to sell more of their other services, their DDoS protections will be limited to coverage of their services only. For customers who use multiple providers (such as multiple CDNs, ISP, or public clouds), this will lead to varying levels of protection for different assets, inconsistent security policies, and fragmented management & reporting.

No Service Commitments

Another way in which free DDoS protection services save money – and compromise security – is in the service commitments they provide to customers.

Your DDoS protection service is only as good as the service guarantees your provider is willing to commit to. Such service commitments are usually documented in the Service Level Agreement (SLA) associated with the service.

[You may also like: What to Do When You Are Under DDoS Attack]

This is why most free (or low cost) DDoS protection either provide no SLA at all, or provide ‘best effort’ SLA. Frequently such SLAs will not include any commitment to attack detection times, mitigation times, or quality of mitigation (i.e., measuring the ratio between good and bad traffic that is being allowed through).

This means that if the service provider doesn’t live up to their marketing promises, there really isn’t anything that the customer can do about it, and no remedy to their problem.

An enterprise-grade SLA should include service commitments which are not only specific, but measurable (i.e., that there is a clear, understandable manner to measure to them), and also explain what are the service remedies in case these SLAs are breached.

Not including specific and measurable metrics for detection, mitigation, and response in the SLA of a DDoS protection service should raise alarm as to the actual quality of security it provides.

[You may also like: Creating a Secure Climate for your Business]

Lack of Security Expertise

Finally, as ‘free’ DDoS protection vendors are usually not dedicated security providers, they frequently lack the expertise and know-how to effectively deal with cyberattacks.

Although such service providers might be experts in their respective fields (such as internet connectivity, content delivery or cloud computing), security is frequently a side-business for them. DDoS attacks, however, are a specific category of cyberattack, with distinct characteristics, customer impact and methods of mitigation.

Consequently, such vendors are frequently not up-to-date with the latest attacks, trends or tools, and don’t have rich experience in dealing with a wide variety of DDoS attacks.

[You may also like: How to Choose a Cloud DDoS Scrubbing Service]

From a customer point of view, this means that free DDoS protection services will not be able to handle attacks as quickly or as efficiently as needed, and may not know how to effectively deal with complex attacks, leaving customers exposed for longer.

The Price is Promising, But…

Ultimately, when you buy something for free, you usually get what you pay for. DDoS attacks are a unique type of cyberattack, and protection against DDoS attacks is a dedicated discipline within cybersecurity. Although many vendors promise ‘free’ DDoS protection, this type of service is usually a side-business for them, and an add-on for their main product line.

As a result, this type of ‘free’ protection comes at the cost of inferior protection, limited coverage, basic service commitments, and limited security expertise, which may end up being far more expensive down the road.

Download Radware’s “Hackers Almanac” to learn more.

Download Now

Eyal Arazi

Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Workload Protection Service. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center