Despite the huge growth in cloud-based DDoS protection and a perception that on-premises protection is out-of-date and old school, many security researchers believe that on-premises protection against DDoS is still the most effective kind of protection in terms of minimizing response time, and the degree of operational control you can achieve. Today, it doesn’t have to be achieved only via a traditional appliance, but could also be a virtualized solution.
Despite the attention-grabbing headlines around Mirai and the recent memcached-servers DDoS attacks, most DDoS attacks are not large. In fact, 80% fall under 1 Gbps. While a cloud-based approach typically bolsters capacity in the face of a large attack; on-premises solutions tend to be better equipped to deal with the kind of multi-vector campaigns that are the most common. Often DDoS attacks will combine volumetric, application and stateful attack components.
In Arbor Networks’ 13th annual Security Report published recently, 48% of participants reported experiencing multi-vector attacks. For the second consecutive year, volumetric attacks decreased with a corresponding increase in application-layer attacks. Application-layer attacks are the most sophisticated kind of attack as they can deploy as few resources as one machine to launch attacks with serious consequences that target some aspect of an application or service at Layer 7. These are difficult for cloud-based DDoS protection solutions to mitigate, and on-premises protection has repeatedly shown itself to be the most effective way to stop the smaller stealthier application-layer attacks.
Compared to other kinds of cybersecurity threat that can dwell inside a network for weeks, DDoS attacks occur without warning. When one strikes, you want to be ready with the most rapid response times to both detect it happening and to automatically trigger the most effective kind of mitigation. On-premises DDoS protection is usually faster than cloud-based protection because there is no lag time as traffic is re-directed to the cloud and sent off-premises. Even a short delay can prove crucial in the different between preventing downtime. On-premise solutions have the traffic visibility necessary to quickly diagnose what is going on, saving IT and network teams valuable time.
Greater visibility gained from on-premises solution also allows for the monitoring of both internal and external network traffic, letting you search for anomalies that suggest attacker activity, whether reconnaissance on network, botnet command control activity or malware movement.
Furthermore, some argue that by adding cloud-based protection, you are in fact increasing your attack surface and presenting hackers with more opportunity to attack. Relying upon your SaaS, ISP or cloud provider can cause problems down the line by taking control out of your own hands.