To DIY or not to DIY: when it comes to DDoS protection, it’s not really a question
Fri 27 Jan 2017
The outcomes of many DIY projects are easy to predict: wildly unprofessional electrical work and roofing tend to have the starkest consequences, with carpentry, auto repair and anything involving mass amounts of crazy glue trailing close behind. Most DIY disasters are not a surprise.
Then there are times when a person is well-versed in what they’re DIYing and does everything they can do about as well as possible…and it still ends up being a disaster. That’s about how it goes with DIY DDoS protection.
The DDoS mess
While the intentions behind DIY protection are good, the results typically aren’t
Distributed denial of service (DDoS) attacks are designed to deny the services of a website to its legitimate users, and they do so by overwhelming the server or chewing up network resources with a major influx of malicious traffic.
This loss of website access is frustrating for users and can breed a loss of loyalty or feeling of distrust that can affect the website for years, if it ever even recovers. That’s saying nothing of the initial financial hit. An unmitigated DDoS attack can cost an organization $40,000 per hour and can often cause hardware or software damage.
Once the domain of cyber attackers and script kiddies, DDoS attacks have gone mainstream in the worst way. With the advent of DDoS for hire services, anyone with some spare cash can launch an attack at the website of their choosing. This combined with DDoS-powering botnets of never-before-seen sizes means that not only is nearly every website a potential target, but the attack coming at it could easily be massive.
Paved with good intentions
The idea behind DIY distributed denial of service protection is simple as well as laudable: these attacks are incredibly common and have serious consequences and should therefore be protected against. However, while the intentions behind DIY protection are good, the results typically aren’t.
DIY protection attempts often involve static traffic thresholds and broad IP blacklisting. One of the main issues with these strategies is that legitimate users can get caught up in the blocking – a little ironic considering these steps are supposed to prevent the denial of services to legitimate users.
One of the other main issues with DIY protection is that it’s reactive instead of proactive. As DDoS protection provider Incapsula points out in its guide to how to stop DDoS attacks, a DIY solution’s configuration often has to be manually altered after the first wave of an attack has already hit. Though this may prevent the next attack wave or future assaults that are similar, an attack has already succeeded and likely caused downtime. There’s also no guarantee attackers won’t simply switch methods and render that new configuration useless. DIY protection is also only as good as a network’s bandwidth, which typically does not offer much in the way of scalability. This makes network layer DDoS attacks almost impossible to stop.
The benefits of DIY distributed denial of service protection are that the price is right, and it’s better to have any form of protection than none at all. Unfortunately, that’s not saying much.
Actual options
When it comes to investing in effective DDoS protection, there are two main options: on-premise and off-premise.
On-premise protection, as you might expect, is literally on the premises of the organization with hardware positioned inside of a network, in front of the servers they’re protecting. These solutions are equipped with advanced traffic filtering capabilities, rate limiting capabilities, IP reputation, signature identification and geoblocking, all effective weapons in the war on DDoS, particularly application layer attacks.
Where on-premise solutions struggle is with network-layer attacks. Like DIY protection, scalability is an issue due to bandwidth constraints.
On-premise solutions also require manual deployment, which can mean an attack finds success in the form of initial downtime. The biggest factor most organizations have to consider is the cost, as on-premise protection setup tends to be prohibitive for anything other than large corporations and organizations that require on-premise protection to adhere to industry standards.
In the clouds
Off-premise protection is a much cheaper option than on-premise, and with no involvement required from the organization
Off-premise DDoS protection is a managed service, which means there’s no investment in hardware required, nor do an organization’s employees have to be involved in DDoS mitigation as it is handled by DDoS professionals. Off-premise protection comes in two forms: ISP-based and cloud-based. ISP-based protection protects against network layer attacks, which makes it a supplementary option for organizations using on-premise protection.
Cloud-based protection protects against both network layer and application layer attacks, so it’s essentially an all-in-one. There are no scalability issues due to bandwidth because these solutions are deployed outside of an organization’s network. The scalability of these solutions make them a good fit for a wide range of organizations, from mom and pop shop ecommerce sites to major corporations.
Off-premise protection is a much cheaper option than on-premise, and with no involvement required from the organization, it’s much easier as well.
Conclusion
DIY distributed denial of service protection is a frustrating thing, because the experience and knowledge required to even build these solutions is significant, but when it comes to actually stopping the attacks, it just doesn’t matter. For actual protection against both application layer and network layer attacks, it has to be on-premise with a side of ISP-based protection, or cloud-based DDoS protection. Save the DIY disasters for your plumbing.
Debbie Fletcher is a freelance reporter, writing here on behalf of cloud-based application delivery platform Incapsula.
