DDoS Attack Mitigation: Don't Sacrifice Speed for Security

Why common strategies for stopping DDoS attacks sometimes cause the same slowdowns they’re trying to prevent.

Dark Reading Staff, Dark Reading

June 1, 2020

4 Min Read
Dark Reading logo in a gray background | Dark Reading

The website and network outages and slow traffic speeds caused by DDoS attacks can hurt conversions, increase drop-off rates, and degrade your customer experience. Research shows that 25% of users will leave a website that takes longer than four seconds to load. The consequences of lost uptime and performance can be severe for companies in certain industries. For instance, in financial trading platforms, a one millisecond advantage can be worth $100 million a year to a major brokerage firm. In e-commerce, Amazon discovered that 100 milliseconds of extra load time cost them 1% in sales.

Unfortunately, common strategies for stopping DDoS attacks sometimes cause the same slowdowns they’re trying to prevent. For example, many DDoS mitigation providers rely on one of two methods for stopping an attack: scrubbing centers, or on-premise scanning and filtering via hardware boxes. The problem with both approaches is that they impose a latency penalty that can adversely affect your business.

Scrubbing
The DDoS mitigation method of scrubbing involves re-routing all of your network traffic to scrubbing servers in designated geographic locations in an attempt to filter or ‘scrub’ out malicious traffic from the non-malicious. In an ideal scenario, the scrubbing server will only forward non-DDoS packets to the online application that is under attack.

In reality, scrubbing creates three issues: latency, operational expenses, and a lack of expertise to discern between good and bad traffic Bandwidth management can quickly become complex and expensive when maintaining multiple scrubbing centers. Each scrubbing server requires multiple terabits per second,  (Tbps) of bandwidth to properly defend against today’s DDoS attacks that meet or exceed 1Tbps in size. When an organization has only one scrubbing center, it acts as a bottleneck and creates large amounts of latency while all network traffic is filtered and then forwarded back to the original server.

Scrubbing is also expensive. For multiple scrubbing servers to handle a probable 100 Gbps of attack traffic at line rate, they’ll need specialized network and server hardware, including line cards in routers, network adapter cards in servers, and the actual servers. To efficiently use scrubbing centers, network engineers need to have expertise in TCP/IP, DNS, HTTP, and TLS protocols to properly pinpoint malicious traffic from non-malicious, which increases in difficulty as bad actors attempt to camouflage their DDoS packets as legitimate.

On-Premise Hardware Boxes
Another DDoS mitigation uses on-premise hardware boxes to scan traffic and filter out malicious requests. Similar to scrubbing, the scanning hardware introduces network latency and inhibits performance due to the bottleneck nature of re-routing network traffic through the boxes to complete the scanning process. Since scanning hardware is a single point of defense, a local hardware box needs enough network capacity to sort through multiple-Tbps of incoming traffic to filter out unwanted packets. On-premise anti-DDoS appliances often have a bandwidth limit by default, which is based on the combination of the organization’s network capacity and the box’s hardware capacity.

Always-On or On-Demand Mitigation?
A better way to detect and mitigate DDoS attacks is to do so close to the source — at the network edge. By scanning traffic at the closest point of presence in a global, distributed network, high service availability is assured, even during substantial DDoS attacks. This approach reduces the latency penalties that come from routing suspicious traffic to geographically distant scrubbing centers. It also leads to faster attack response times.

But even when mitigating DDoS attacks at the network edge, there is another important choice to make: always-on protection versus on-demand protection. Always-on protection constantly scans traffic for potential attacks, while an on-demand approach only works once an attack has been detected. In general, an always-on approach reduces time-to-mitigation, since it does not rely on human awareness of an attack. When accompanied with flat-rate pricing, always-on can also be less expensive on a dollar-per-Mbp basis for companies that experience attacks frequently. However, there are reasons why on-demand protection might be a better fit. A common one is control: some organizations might not want to add a persistent additional hop to their end-to-end network. In addition, always-on protection can make troubleshooting network issues more complex.

Learn more about how Cloudflare’s DDoS protection service and always-learning global Anycast cloud network—with points of presence in 200 cities in 90 countries—makes fast, unmetered mitigation possible. With 35 Tbps of network capacity and near-instant mitigation, Cloudfare can endure the largest network DDoS attacks while continuing to allow good traffic, and simultaneously keep your websites, applications, and entire networks elevated in performance and availability.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights