While there are many advantages to cloud-based DDoS scrubbing, which filters malicious traffic from legitimate, there are several disadvantages as well. These include:
– Scrubbing centers are only able to monitor inbound traffic – As outbound traffic cannot be monitored, enterprises and service providers cannot themselves be certain that they are not an unknowing source of volumetric attacks;
– Overall degradation of experience during a DDoS attack – By redirecting all traffic to a cloud-based scrubbing center during an attack, existing legitimate connections are likely to experience service degradation. There is a far greater chance of generating packet loss and jitter, which degrades the user experience, particularly in applications like streaming video and VoIP;
– Scrubbing devices cannot always distinguish between legitimate and bad traffic i.e. there can be false positives (legitimate traffic is filtered) and false negatives (unwanted traffic is not filtered);
– Incomplete detection – traffic is sampled rather than scrubbed completely. This leaves open the possibility for malevolent traffic to get through despite passing through a scrubbing center;
– Mitigation is relatively slow compared to on-premises DDoS mitigation – due to the diversion of traffic and the consequent need it engenders for network routers to publish and propagate new routes (BGP/OSPF, etc.) so that traffic is redirected to the scrubbing center, DDoS detection is slowed down. Even a 2-3 minute delay on detecting a flooding attack can be significant, particularly in the age of “hit and run” DDoS attacks.
Pricing can also be an issue. Scrubbing centers typically involve human intervention, driving up costs. If an organization is experiencing repeated DDoS attacks frequently and has an on-demand service, the cost of switching to the cloud in each instance of a short-duration DDoS attack can get expensive quickly.
Traditional scrubbing doesn’t address multi-layer attacks. Some companies, such as Radware are adding an added layer of granularity to their scrubbing centers to address this; however, those scrubbing centers which have not yet updated their services may have trouble stopping second or third attacks that are designed to circumvent an organization’s layered protection strategy.
The best solution for comprehensive protection is most likely a hybrid approach, that combines cloud-based scrubbing with an on-premises DDoS protection appliance. The two approaches working in conjunction can automatically detect threats and clean traffic in milliseconds while also allowing for additional capacity if needed in the face of a large volumetric attack.