The DDoS debate: Multi-layered versus single solution

There is a DDoS debate in the cybersecurity industry about which solution is more effective – multi-layer or single. However, the argument is really more complex and must consider traditional defenses versus dedicated DDoS defenses, multi-provider (device or service) versus single provider (device or service), and layered defense in-depth versus single defender.

Traditional defenses, such as firewalls and IPS routers, are not as effective as dedicated DDoS defense systems. Detection is poor, response is ineffective and these solutions are sometimes the target of attacks themselves. Dedicated DDoS defenses – whether on-premise, off-site or a combination of the two (more on this later) – are designed specifically to detect and defend against DDoS attacks, and therefore more effective.

The keys to successfully defending against any DDoS attack are:

  • The speed with which you can recognize the attack
  • How fast you can begin mitigation of the attack
  • A well-coordinated defense.

With this in mind, you must have either a service or a detection device that can quickly and correctly identify an attack. From there, either by alert or automation, mitigation defenses must be brought to bear. This is pretty straightforward in a single-provider scenario, as there is one entity coordinating the defenses – and that provider can either be a 100 percent off-site service or a combination of on-premise and off-site.

In multi-provider scenarios, the coordination lies with someone (either within or outside) to marshal the defenses and manage the response to the attack. In either case, pre-planning and testing are key to map out and refine processes and responsibilities. A single provider solution will have the advantage here, but it is doable in a multi-provider environment.

Next, we have layered defense versus single defense. Even though I will always argue that layers of defenses are best, for some companies a single defensive system or service is sufficient. However, let’s talk worst case scenario here and break this down. The quicker the attack can be identified and defenses can come to bear, the better off you are in a DDoS attack – accurate and fast detection is the first layer of defense.

The next step is mitigation and how quickly this system can be engaged. Planning is critical here, either for a system that is on-site or a service. Pre-defined BGP routing or GRE tunneling to get the attack traffic to the mitigation device or service will help limit downtime and must be tested in advance. You don’t want to be adjusting router tables on the fly or waiting for something to announce while you are under a DDoS attack. Test it, and have the ability (either manually or through automation) to get the traffic moved to mitigation the moment an attack is detected.

Finally, we come to the big decision of what goes where. Detection can be anywhere, as long as the traffic is evaluated in near real-time (e.g., netflow sample rates). Mitigation can be anywhere, as well, but there are some trade-offs. Those first few moments of an attack can be tricky. A dedicated DDoS defender on-site can provide some immediate relief (what I like to call the “speed bump”). However, its mitigation capability is bound by the size of the pipe. The good news is that most attacks tend to be smaller and shorter in duration.

). For larger-scale attacks, the traffic will need to be sent upstream. Again, this is all about planning and coordination. If a single provider is used (particularly if the devices used are from the same vendor), both on-premise and upstream, then this handoff can be automatic and seamless. If not, then there is an added level of coordination. If the mitigation capability is 100 percent off-site, the main issue becomes speed to take over the offending traffic; pre-determined routes and testing will help reduce the time it takes to engage. So, when we talk about single and multi-layer, coordination is a primary concern.

Another thing to consider when discussing multi-provider and single provider is that even the single provider can use multiple solutions in a mesh to provide coverage (or use methods such as any-casting to spread the load). The point here is that we are really talking about single coordination – having an employee or outsourced provider ensure that the attack is handled in the most effective way possible for any attack type. From there, it is just about ensuring that the mitigation capabilities are sufficient and everyone understands the plan.

If you have zero tolerance for downtime, then a combination of on-premise and off-site solutions will work best. Regardless of whether they are multi- or single provider, fast, accurate and automated initial responses are critical. If you have a low tolerance for downtime (say, under 10 minutes), then an off-site service from a single provider will get you what you need. If you can accept some downtime, then a multi-provider scenario will provide you with an acceptable alternative. In reality, your business will drive what makes the most sense.