DDoS Attacks and the Cloud: How the Hybrid Approach Answers Emerging Concerns

DDoS Attacks and the Cloud: How the Hybrid Approach Answers Emerging Concerns

March 9, 2016 | NSFOCUS

Track:  Technical

Author: Ivan Tirado, Principal Sales Engineer, NSFOCUS

Cloud DDoSPure play cloud DDoS mitigation services have seen explosive growth. The market has grown from small outfits protecting online gambling operations, to what is now an accepted approach at large banks and global enterprises in all verticals.

However, as the customer population expands, the set of needs diversifies. Many of these new customers have not experienced a true DDoS attack.

These new customers have more concerns, to name a few:

1) Data residency – Many countries and localities are establishing policies for “data residency”. These can be fairly complex, but a quick summary is “Financial/Sensitive data must not transit outside the country or locality”.

2) Latency considerations – Many of these customers use interactive services such as VoIP/Video. Others see their conversion rates on e-commerce websites tied to latency. The reasons are diverse, but the concern remains the same: “I want to always be protected, but I can’t take on latency during peacetime.”

3) Control/Reporting/Communication – Yes, having a strong SLA is ideal. However, these new customers also seek a certain degree of autonomy/control with regards to mitigation, traffic ingestion/return, reporting, and communication.

4) Price – As the market broadens, it nets more price-sensitive customers – in many cases because acquisition of DDoS mitigation is a pre-emptive strategy. In other cases, the pricing models typical of cloud services are not a good fit. For example, customers in the SLED (State, Local, Education) vertical have high amounts of inbound bandwidth and IP address space, but tend to have lower budgets than large enterprises.

A true hybrid approach, with both a strong on-premises component, as well as a strong cloud service, is key to meeting the broader market need.

Let’s examine how a proper hybrid approach meets the needs summarized above:

1) Data residency

Within a pure cloud concept, we must ensure that all traffic pertinent to the target of the attack traverses the cloud. Typically, this is enforced by forcing the /24 network that contains the attack target to only be advertised via BGP to the cloud service. If the cloud service doesn’t operate a scrubbing center close to the customer data center (in country/locality), users trying to access a resource within that /24 will traverse links outside the country, ingress at the cloud service, and then back to the data center.

The hybrid approach can tolerate some leakage of attack traffic to the origin due to the use of a local mitigation capability. A true hybrid approach can allow the customer to continue to advertise their networks to their local ISP, as well as to the cloud service. Attack traffic originated outside the country/locality would ingress via the cloud service, while in-country traffic would have the opportunity to continue using the local ISP path.

2) Latency considerations

If the nearest cloud scrubbing facility is far away from the customer data center, round-trip latencies increase – especially for local users. The hybrid approach minimizes latency because it allows the normal ISP path to be used for local users. Also, the hybrid approach enables the customer to locally mitigate attacks lower than the ingress bandwidth. The cloud service would only be used when attacks exceed ingress bandwidth.

3) Control/Reporting/Communication

The customer is still responsible to its stakeholders and the public regarding the overall availability and performance of all services, despite usage of a cloud service. The ability to generate reports, get immediate status, and modify mitigation parameters empowers those responsible. The hybrid approach affords additional flexibility to the customer to meet specific/special needs. For example, many cloud services don’t guarantee performance or quality for VoIP and similar applications. A customer who takes a hybrid approach can choose to segment their environment to control where mitigation takes place: locally for sensitive services, in the cloud for less sensitive services.

4) Price

A strong hybrid approach gives the customer some pricing leverage when selecting a cloud service. A hybrid customer can opt for more favorable service terms. Pricing for monitoring and always-on mitigation are often higher than basic on-demand service. This is especially true for customers in the SLED vertical.

I’m excited at the opportunity and potential benefits offered by the NSFOCUS hybrid approach. It will help broaden the market, and I’m eager to discuss the benefits and deployment scenarios with customers and prospects.



Ivan Tirado has over 15 years of diverse experience in the technology sector. He has worked at enterprises, service providers, software and technology companies, and has dedicated the last few years of his career to internet security, specifically to solving the DDOS and Internet hacking problems. Ivan holds a Master’s degree in Information Systems from Kennesaw State University, as well as numerous professional certifications such as the ISC2 CISSP-ISSAP. He is an active member of the information security community, and has served as a board member for the Atlanta and San Antonio ISSA Chapters.