Traditional defenses, such as firewalls and IPS routers, are not as effective as dedicated DDoS defense systems. Detection is poor, response is ineffective and these solutions are sometimes the target of attacks themselves. Dedicated DDoS defenses whether on-premise, off-site or a combination of the two (more on this later) are designed specifically to detect and defend against DDoS attacks, and therefore more effective.
The keys to successfully defending against any DDoS attack are:
- The speed with which you can recognize the attack
- How fast you can begin mitigation of the attack
- A well-coordinated defense.
In multi-provider scenarios, the coordination lies with someone (either within or outside) to marshal the defenses and manage the response to the attack. In either case, pre-planning and testing are key to map out and refine processes and responsibilities. A single provider solution will have the advantage here, but it is doable in a multi-provider environment.
Next, we have layered defense versus single defense. Even though I will always argue that layers of defenses are best, for some companies a single defensive system or service is sufficient. However, let's talk worst case scenario here and break this down. The quicker the attack can be identified and defenses can come to bear, the better off you are in a DDoS attack accurate and fast detection is the first layer of defense.
The next step is mitigation and how quickly this system can be engaged. Planning is critical here, either for a system that is on-site or a service. Pre-defined BGP routing or GRE tunneling to get the attack traffic to the mitigation device or service will help limit downtime and must be tested in advance. You don't want to be adjusting router tables on the fly or waiting for something to announce while you are under a DDoS attack. Test it, and have the ability (either manually or through automation) to get the traffic moved to mitigation the moment an attack is detected.
Finally, we come to the big decision of what goes where. Detection can be anywhere, as long as the traffic is evaluated in near real-time (e.g., netflow sample rates). Mitigation can be anywhere, as well, but there are some trade-offs. Those first few moments of an attack can be tricky. A dedicated DDoS defender on-site can provide some immediate relief (what I like to call the "speed bump"). However, its mitigation capability is bound by the size of the pipe. The good news is that most attacks tend to be smaller and shorter in duration.