Data security

DDoS Protection: When DIY is a DON’T

There are circumstances in which DIY is a perfectly acceptable approach, such as when you are hosting children’s birthday parties or preparing Christmas gifts for relatives you don’t really like. But then there are times when DIY quickly becomes a disaster. Think home renovations involving construction, or car repairs involving the transmission. In the interest of not dredging up awful memories, you probably don’t need specifics. What you do need specifics on are the pros and cons (mostly cons) of DIY DDoS protection, and the options you can look into instead.

The DDoS threat

As much as DIY may not be the best approach to DDoS protection, the people employing it need to be lauded for recognizing the massive threat that DDoS attacks pose and being proactive in defense of their websites and businesses.

A DDoS attack is a distributed denial of service attack, which is what occurs when an attacker uses a number of internet-connected computers or devices to overwhelm the bandwidth or resources of a targeted website. When a DDoS attack is successful, it knocks the targeted website entirely offline or slows it down enough to leave it virtually unusable.

Not only are DDoS attacks becomingly increasingly easy to mount and therefore increasingly prevalent thanks to DDoS for hire services, but they also cause jaw-dropping damage. For major enterprises, jaw-dropping damage translates to $40,000 per hour for an unmitigated attack. While smaller companies won’t suffer that sort of financial setback, they may still end up shelling out tens of thousands of dollars…if the business survives.

In addition to up-front financial damages, DDoS attacks also do a number on a business’s reputation, impacting customer loyalty. They can also cause software damage and hardware damage, or be used as a smokescreen for an intrusion in search of customer information, financial data or intellectual property.

DIY mitigation limitations

There aren’t many people who can read the above section and still want to take responsibility for protecting against DDoS attacks. Which is good. While any DIY effort is admirable, the broad IP blacklisting and static traffic thresholds of DIY DDoS mitigation just doesn’t have what it takes to stop these thundering attacks.

As DDoS protection services provider Imperva Incapsula says, one of the main problems with DIY DDoS protection is that it’s often used as a reactive measure. This means that while you’ll be able to tweak your solution’s configuration after an attack has hit, and that may make your solution more effective going forward, the first attack already hit and did its damage.

Further, when you tweak configurations to respond to an attack, those configurations will only be effective against that type of attack. DDoS attacks, unfortunately, lend themselves to creativity, with attackers able to adjust where they’re attacking from, or what attack vectors they’re using.

DIY solutions also greatly struggle with scalability, with their efforts limited by network bandwidth. This makes it nearly impossible to stop network layer attacks.

If literally your only concerns when it comes to DDoS attacks are 1) being able to say you have DDoS protection, and 2) keeping that protection as low-budget as possible, then DIY could be for you. Otherwise, you’re looking at on-premise or off-premise.

Keeping it in-house

The first of the two effective DDoS protection types is on-premise, which is an approach that puts hardware appliances inside of a network, positioning them in front of protected servers. The DDoS protection is literally on the premises of the organization using it. Due to the prohibitive cost, this is generally an approach that only major enterprises or organizations bound to industry standards requiring on-premise protection would prefer, but there are definite pros to this method.

Pros of on-premise DDoS protection

The hardware appliances in on-premise protection are built to work, and work they do. They’re typically loaded with advanced traffic filtering capabilities, making them an effective solution against application-layer attacks. They also tend to have rate limiting capabilities as well as geo-blocking, IP reputation and signature identification, all important components of DDoS mitigation.

Cons of on-premise DDoS protection

The big one was already mentioned: the cost. The hardware itself can be expensive, as can the installation. As far as the actual use goes, on-premise protection requires manual deployment by IT staff, which can significantly slow down response time, possibly allowing the attack to find some measure of success in initial site downtime. And like DIY protection, on-premise protection struggles when it comes to scalability, rendering them less effective against network layer attacks due to network bandwidth limitations.

Head in the clouds

The second main option when it comes to effective DDoS protection is off-premise, either cloud-based or ISP-based. ISP-based solutions generally provide only network layer protection, while cloud-based protection protects against both network layer and application layer attacks. Off-premise protection can be deployed as an always-on or on-demand service. Just as with the on-premise DDoS protection, there are pros and cons to the off-premise approach as well.

Off-premise DDoS protection pros

The biggest con of on-premise is the biggest pro of off-premise. Off-premise DDoS protection is affordable, requiring none of the investment in hardware that on-premise does. Off-premise DDoS protection is also a managed service, so none of an organization’s employees are tasked with overseeing the solution and those who are in charge of the solution are DDoS attack experts who have dedicated their careers to detecting and protecting against DDoS attacks and have access to always-updated threat intelligence. Off-premise DDoS protection solves the scalability problem by being deployed outside of the network, eliminating the issue of network bandwidth limitations.

Off-premise DDoS protection cons

This is not the approach for control freak organizations. If your organization needs to be in control of every aspect of security, off-premise just won’t work. Likewise, off-premise DDoS protection used on its own isn’t acceptable for organizations required to have on-premise protection by industry-specific standards, unless it is used in hybrid DDoS protection that combines on-premise hardware with cloud-based network layer defense.

The bottom line

Regardless of what kind of DDoS protection you go with, at the end of the day the most important thing is that your website and your business has DDoS protection, period. However, you really should think long and hard before you go the DIY route when it comes to DDoS protection.

If you have any questions, please ask below!