There are many types of DDoS protection. The essential traditional architecture for DDoS defense works as follows.
Flow data, complementary BGP and SNMP data, all based on incoming traffic flow are sent to a detection appliance inside the network infrastructure. The detection appliance identifies attacks and tells the network to direct traffic to a scrubbing or mitigation solution typically made up of deep packet inspection appliances, which may be on-premises, in the cloud, or within a hybrid cloud combination.
The hybrid cloud approach allows for overflow traffic in the event of a DDoS attack or legitimate traffic spike which is too heavy for the on-premises device to handle to be sent on-demand to a cloud scrubbing center. This approach optimizes response time, price and enables a flexible approach to scale when necessary.
Protection appliances in the cloud can offer vast amounts of capacity to protect against volumetric attacks, such as the recent memcached DDoS attacks we’ve seen. The appliances block high packets-per-second attacks that overuse the CPU resources of networking and security equipment; and maintain the user experience for legitimate users, keeping businesses online.
Other approaches to DDoS mitigation include Remote Triggered Black Holes (or RTBH) to drop traffic going to certain IP addresses. This is mainly useful for retail ISPs who have a large number of individual subscribers who come under DDoS attack in the realm of online gaming. In these instances, a user’s traffic may be shut off for a temporary period in order to protect other subscribers from collateral damage. However, RTBH doesn’t tend to be used for protecting application servers or enterprise networks since RTBH genuinely leads to downtime i.e. the intention of the attacker. Therefore, the scrubbing type of mitigation is much more widely used.
It is also possible to run all traffic through mitigation or scrubbing devices, either on-premises or in the cloud. However, many organizations cannot afford the cost of this kind of 24/7 service.
Hybrid cloud mitigation is utilized most frequently because it provides a balance of cost and protective effectiveness.
There are many different levels of sophistication when it comes to protection or detection appliances, and each mitigation service offers different options and levels of comprehensive protection.
Some DDoS detection appliances have come under attack recently for being outdated and inaccurate (many are based on fifteen year old computing architectures); and unable to perform reliable baselining. Baselining is the ability to respond to increasing volumes of traffic based on adaptive thresholds and a defined set of rules. Detection appliances tend to be able to only perform baselining against individual flow exporters, such as individual routers or switches. By relying on simple thresholds, attacks can be missed and manual configuration is required by operations personnel, which involves greater cost to the client.