In a large scaled DoS event and where the attack(s) has many sources attacking your servers, you are a big disadvantage. Take this 1st drawing;
You web sever comes under a severe intense attack. In these 2above types of attacks ( L4 and L7 ), we are at at mercy of the number of sources, duration of the attacks and the capabilities of our local mitigation gear, which is typically limited to an exterior IPS and or UTM-firewall. None of which are true DoS mitigation devices btw.
note: Even if you could afford to buy mitigation gear ( fortiddos, radware, f5, Arbor, etc....) you probably will be under staffed and lack experience with mitigation concepts & concepts. DDoS mitigation, requires full time monitoring & analysis.
Okay sounds good so far, right ?
We have mitigation gear, but what happens in reality. As you stumble around trying to fight back the attacking sources that are spoof'd or non-spoof'd , your WAN uplink(s) are saturated.
What this means at the end of the day, you might block the attacks ( score 1 for you ) but the attack depletes your wan uplink capacity with junk traffic ( score one for the attackers ), so even if they didn't take down the web farm for example, just the meer flooding of your wan uplinks prevents legit clients from accessing your website & in a reasonable and responsive time.
In almost of all of these attacks that I've seen over the course of 7 years, they always resulted in higher latency/response times, with link saturation and spikes. While your IPS sensor are trying to mitigate, your client's are not getting thru or exhibiting slower page load times.
Now in a cloud based DoS protection, we have the ability to redirect traffic into the provider cloud first, and apply some type of mitigation gear and strategy. This allows for the provider to take the punches, kicks, and blows and they will pass only legit clean traffic to your web server.
See drawing #2 of a cloud based mitigation
The same attacks are under way, but now with a cloud provider, and redirection into the provider space, we can now let them mitigate the attacks.
Okay the advantages of this approach are;
- the provider typically has more bandwidth then your own uplinks
- they have specialized and trained staff & just for mitigation
- they have better mitigation gear to include ; IPS, WAF, trafficdirector, SSL offloading, AV/MAL detection, etc.....
- the DDoS provider also runs 24x7x365 and never sleeps
Here's a superior DDoS provider using the latest strategies and methods for cloud based protection.
http://www.securitydam.com/
Cloud based mitigation is the only way to ensure both higher availability and with a greater percentage of success.
Ken Felix
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( % % )=
@
/ \