Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Dark Reading
Dark Reading
Sponsored Article

DDoS Attack Mitigation: Don't Sacrifice Speed for Security

Why common strategies for stopping DDoS attacks sometimes cause the same slowdowns they're trying to prevent.

The website and network outages and slow traffic speeds caused by DDoS attacks can hurt conversions, increase drop-off rates, and degrade your customer experience. Research shows that 25% of users will leave a website that takes longer than four seconds to load. The consequences of lost uptime and performance can be severe for companies in certain industries. For instance, in financial trading platforms, a one millisecond advantage can be worth $100 million a year to a major brokerage firm. In e-commerce, Amazon discovered that 100 milliseconds of extra load time cost them 1% in sales.

Unfortunately, common strategies for stopping DDoS attacks sometimes cause the same slowdowns they’re trying to prevent. For example, many DDoS mitigation providers rely on one of two methods for stopping an attack: scrubbing centers, or on-premise scanning and filtering via hardware boxes. The problem with both approaches is that they impose a latency penalty that can adversely affect your business.

The DDoS mitigation method of scrubbing involves re-routing all of your network traffic to scrubbing servers in designated geographic locations in an attempt to filter or ‘scrub’ out malicious traffic from the non-malicious. In an ideal scenario, the scrubbing server will only forward non-DDoS packets to the online application that is under attack.

In reality, scrubbing creates three issues: latency, operational expenses, and a lack of expertise to discern between good and bad traffic Bandwidth management can quickly become complex and expensive when maintaining multiple scrubbing centers. Each scrubbing server requires multiple terabits per second,  (Tbps) of bandwidth to properly defend against today’s DDoS attacks that meet or exceed 1Tbps in size. When an organization has only one scrubbing center, it acts as a bottleneck and creates large amounts of latency while all network traffic is filtered and then forwarded back to the original server.

Scrubbing is also expensive. For multiple scrubbing servers to handle a probable 100 Gbps of attack traffic at line rate, they’ll need specialized network and server hardware, including line cards in routers, network adapter cards in servers, and the actual servers. To efficiently use scrubbing centers, network engineers need to have expertise in TCP/IP, DNS, HTTP, and TLS protocols to properly pinpoint malicious traffic from non-malicious, which increases in difficulty as bad actors attempt to camouflage their DDoS packets as legitimate.

On-Premise Hardware Boxes
Another DDoS mitigation uses on-premise hardware boxes to scan traffic and filter out malicious requests. Similar to scrubbing, the scanning hardware introduces network latency and inhibits performance due to the bottleneck nature of re-routing network traffic through the boxes to complete the scanning process. Since scanning hardware is a single point of defense, a local hardware box needs enough network capacity to sort through multiple-Tbps of incoming traffic to filter out unwanted packets. On-premise anti-DDoS appliances often have a bandwidth limit by default, which is based on the combination of the organization’s network capacity and the box’s hardware capacity.

Always-On or On-Demand Mitigation?
A better way to detect and mitigate DDoS attacks is to do so close to the source — at the network edge. By scanning traffic at the closest point of presence in a global, distributed network, high service availability is assured, even during substantial DDoS attacks. This approach reduces the latency penalties that come from routing suspicious traffic to geographically distant scrubbing centers. It also leads to faster attack response times.

But even when mitigating DDoS attacks at the network edge, there is another important choice to make: always-on protection versus on-demand protection. Always-on protection constantly scans traffic for potential attacks, while an on-demand approach only works once an attack has been detected. In general, an always-on approach reduces time-to-mitigation, since it does not rely on human awareness of an attack. When accompanied with flat-rate pricing, always-on can also be less expensive on a dollar-per-Mbp basis for companies that experience attacks frequently. However, there are reasons why on-demand protection might be a better fit. A common one is control: some organizations might not want to add a persistent additional hop to their end-to-end network. In addition, always-on protection can make troubleshooting network issues more complex.

Learn more about how Cloudflare’s DDoS protection service and always-learning global Anycast cloud network—with points of presence in 200 cities in 90 countries—makes fast, unmetered mitigation possible. With 35 Tbps of network capacity and near-instant mitigation, Cloudfare can endure the largest network DDoS attacks while continuing to allow good traffic, and simultaneously keep your websites, applications, and entire networks elevated in performance and availability.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
roger nichols
roger nichols,
User Rank: Apprentice
6/24/2020 | 4:33:54 AM
Your DDoS mitigation makes no sense.. T
Your DDoS mitigation makes no sense.. There is nothing worse than Cloudflare's captha.. Nothing makes me more happy than seeing a site is protected by cloudflare... your math on financial losses by the millisecond are absolutely conjecture.. Try to do better. :)
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...