The DDoS debate: Multi-layered versus single solution
by Vann Abernethy - Senior Product Manager for NSFOCUS - Monday, 9 December 2013.
There is a DDoS debate in the cybersecurity industry about which solution is more effective – multi-layer or single. However, the argument is really more complex and must consider traditional defenses versus dedicated DDoS defenses, multi-provider (device or service) versus single provider (device or service), and layered defense in-depth versus single defender.

Traditional defenses, such as firewalls and IPS routers, are not as effective as dedicated DDoS defense systems. Detection is poor, response is ineffective and these solutions are sometimes the target of attacks themselves. Dedicated DDoS defenses – whether on-premise, off-site or a combination of the two (more on this later) – are designed specifically to detect and defend against DDoS attacks, and therefore more effective.

The keys to successfully defending against any DDoS attack are:
  • The speed with which you can recognize the attack
  • How fast you can begin mitigation of the attack
  • A well-coordinated defense.
With this in mind, you must have either a service or a detection device that can quickly and correctly identify an attack. From there, either by alert or automation, mitigation defenses must be brought to bear. This is pretty straightforward in a single-provider scenario, as there is one entity coordinating the defenses – and that provider can either be a 100 percent off-site service or a combination of on-premise and off-site.

In multi-provider scenarios, the coordination lies with someone (either within or outside) to marshal the defenses and manage the response to the attack. In either case, pre-planning and testing are key to map out and refine processes and responsibilities. A single provider solution will have the advantage here, but it is doable in a multi-provider environment.

Next, we have layered defense versus single defense. Even though I will always argue that layers of defenses are best, for some companies a single defensive system or service is sufficient. However, let's talk worst case scenario here and break this down. The quicker the attack can be identified and defenses can come to bear, the better off you are in a DDoS attack – accurate and fast detection is the first layer of defense.

The next step is mitigation and how quickly this system can be engaged. Planning is critical here, either for a system that is on-site or a service. Pre-defined BGP routing or GRE tunneling to get the attack traffic to the mitigation device or service will help limit downtime and must be tested in advance. You don't want to be adjusting router tables on the fly or waiting for something to announce while you are under a DDoS attack. Test it, and have the ability (either manually or through automation) to get the traffic moved to mitigation the moment an attack is detected.

Finally, we come to the big decision of what goes where. Detection can be anywhere, as long as the traffic is evaluated in near real-time (e.g., netflow sample rates). Mitigation can be anywhere, as well, but there are some trade-offs. Those first few moments of an attack can be tricky. A dedicated DDoS defender on-site can provide some immediate relief (what I like to call the "speed bump"). However, its mitigation capability is bound by the size of the pipe. The good news is that most attacks tend to be smaller and shorter in duration.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th