A DDoS mitigation service is more than just the technology or the service guarantees. The quality and resilience of the underlying network is a critical component in your armor, and one which must be carefully evaluated to determine how well it can protect you against sophisticated DDoS attacks.
When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new heights (and scales) of attacks.
To date, the largest-ever verified DDoS attack was a memcached-based attack against GitHub. This attacked reached peak of approximately 1.3 terabits per second (Tbps) and 126 million packets per second (PPS).
In order to withstand such an attack, scrubbing networks must have not just enough to ‘cover’ the attack, but also ample overflow capacity to accommodate other customers on the network and other attacks that might be going on at the same time. A good rule of thumb is to look for mitigation networks with at least 2-3 times the capacity of the largest attacks observed to date.
It’s not enough, however, to just have a lot of capacity. It
is also crucial that this capacity be dedicated to DDoS scrubbing. Many
security providers – particularly those who take an ‘edge’ security approach – rely
on their Content Distribution Network (CDN) capacity for DDoS mitigation, as
The problem, however, is that the majority of this traffic
is already being utilized on a routine basis. CDN providers don’t like to pay
for unused capacity, and therefore CDN bandwidth utilization rates routinely
reach 60-70%, and can frequently reach up to 80% or more. This leaves very
little room for ‘overflow’ traffic that can result from a large-scale
volumetric DDoS attack.
Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.
Organizations deploy DDoS mitigation solution in order to
ensure the availability of their services. An increasingly important aspect of
availability is speed of response. That is, the question is not only is the
service available, but also how quickly can it respond?
Cloud-based DDoS protection services operate by routing
customer traffic through the service providers’ scrubbing centers, removing any
malicious traffic, and then forwarding clean traffic to the customer’s servers.
As a result, this process inevitably adds a certain amount of latency to user
One of the key factors affecting latency is distance from
the host. Therefore, in order to minimize latency, it is important for the
scrubbing center to be as close as possible to the customer. This can only be
achieved with a globally-distributed network, with a large number of scrubbing
centers deployed at strategic communication hubs, where there is large-scale
access to high-speed fiber connections.
As a result, when examining a DDoS protection network, it is important not just to look at capacity figures, but also at the number of scrubbing centers and their distribution.
A key component impacting response time is the quality of
the network itself, and its back-end routing mechanisms. In order to ensure
maximal speed and resilience, modern security networks are based on
Anycast-based routing establishes a one-to-many relationship between IP addresses and network nodes (i.e., there are multiple network nodes with the same IP address). When a request is sent to the network, the routing mechanism applies principles of least-cost-routing to determine which network node is the optimal destination.
Routing paths can be selected based on the number of hops,
distance, latency, or path cost considerations. As a result, traffic from any
given point will usually be routed to the nearest and fastest node.
Anycast helps improve the speed and efficiency of traffic routing within the network. DDoS scrubbing networks based on anycast routing enjoy these benefits, which ultimately results in faster response and lower latency for end-users.
Finally, when selecting a DDoS scrubbing network, it is
important to always have a backup. The whole point of a DDoS protection service
is to ensure service availability. Therefore, you cannot have it – or any
component in it – be a single point-of-failure. This means that every component
within the security network must be backed up with multiple redundancy.
This includes not just multiple scrubbing centers and
overflow capacity, but also requires redundancy in ISP links, routers,
switches, load balancers, mitigation devices, and more.
Only a network with full multiple redundancy for all components can ensure full service availability at all times, and guarantee that your DDoS mitigation service does not become a single point-of-failure of its own.
Ask the Questions
Alongside technology and service, the underlying network
forms a critical part of a cloud security network. The five considerations
above outline the key metrics by which you should evaluate the network powering
potential DDoS protection services.
Ask your service provider – or any service provider
that you are evaluating – about their capabilities with regards to each of
these metrics, and if you don’t like the answer, then you should consider
looking for alternatives.