Is a hybrid DDoS defense strategy the best option for enterprises?

Choosing between on-premises and cloud DDoS services can be challenging, so why not use both? Expert Dan Sullivan explains.

How does hybrid distributed denial-of-service protection differ from traditional DDoS protection in terms of security?...

My organization is wary of adopting a complete cloud or traditional DDoS prevention strategy and thinks a combination of the two may be better.

The history of information security is a repeating pattern of emerging malicious threats leading to the creation of countermeasures, which in turn triggers a response by attackers to create new techniques that avoid or circumvent the latest countermeasure. The history of denial of service follows this pattern with the latest cycle, leaving many organizations vulnerable to sophisticated distributed denial-of-service (DDoS) attacks.

The latest incarnation of DDoS attacks are easy to deploy and use a simple strategy: generate such a large volume of malicious traffic that target devices are overwhelmed. Some attacks take advantage of vulnerabilities in commonly used Internet services, such as the Network Time Protocol (NTP). Attackers can send malicious messages to an NTP server and force it to send large volumes of data (e.g., hundreds of records describing servers that have contacted the NTP server) to a target device.

In addition to these volumetric attacks, some attackers are turning to application-level attacks that overwhelm an application without necessarily saturating network capacity.

The take away from long- and short-term history is that the precise mechanisms of DDoS attacks are constantly changing and therefore difficult to keep up with. This situation lends itself to specialized cloud services provided by vendors that specialize in DDoS, cloud DDoS and hybrid DDoS attacks by monitoring the state of attack methods and can detect volumetric attacks.

Application attacks, however, are more specific. In terms of the OSI network model, monitoring lower levels of the OSI stack is useful for detecting and mitigating volumetric attacks, but are less effective at countering application-level attacks. On-premises technologies with application-specific evaluation criteria are a better option for application-level attacks.

Security and business decision makers are in a difficult position. Volumetric attacks can quickly overwhelm network resources, so automated, cloud-based responses may be the best option. Applications can also be overwhelmed, but application owners may be rightly concerned about automatically shifting and filtering traffic to line-of-business, mission-critical applications.

A combination of the two approaches -- a hybrid DDoS strategy -- allows organizations to take advantage of the strengths of each approach while countering the weaknesses of each. Even with hybrid DDoS countermeasures, there are challenges to countering traditional and cloud DDoS attacks; there is a risk of incorrectly identifying legitimate traffic as malicious and disrupting business operations.

History has demonstrated that the types of attacks we can expect will change over time -- as will the countermeasures we have to deploy.

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn the difference between traditional and cloud pen testing

Dig Deeper on Cloud Network Security Trends and Tactics