In the last posting about DDoS Mitigation Solutions, I discussed how hardware vendors in the DDoS protection space differ. I highlighted how different companies process data differently using tap vs. flow, the advantages and disadvantages of ASIC vs. commodity CPUs, and the problem of DDoS protection from a scale perspective. The goal around hardware is performance, efficiency and scalability. In this article, I discuss the various cloud approaches to DDoS protection. We often get the same question in this area from customers. “How do you differ from your competitors?” It’s a valid question that I hope I can clarify a little bit in this article.
We have two basic types of cloud-based DDoS protection – providers that mitigate everything (like Staminus) and those that only do websites as a CDN. What works best? In part 2 (this article), I’ll discuss the different cloud approaches.
No single solution is ideal for every customer environment. Due to the fact that there’s a variety of ways to service DDoS mitigation, a multitude of approaches can be layered together in a unique fashion that services a particular customer’s specific needs effectively. While one customer may need on-premises appliances, another may need cloud, another may need SSL termination and acceleration, and another may require a combination of different types of services. At the end of the day, what matters is delivering uptime in the face of overwhelming attacks.
One DDoS Mitigation Solution Does Not Fit Everyone
There’s a number of new DDoS mitigation companies that have sprung up around the Internet that focus only on protecting websites and provide limited DNS protection. These companies generally leverage Nginx and PowerDNS, often with some modifications to augment its features, security, and performance. This has been of great benefit to Internet users. Often times, their security can be obtained inexpensively because delivering it is inexpensive. A common modified Nginx platform is OpenResty. It bundles Nginx with a number of modules to bring some level of protection to the masses, free of charge. This is amazing and has been a huge benefit to owners of webpages, small and large alike. This is good for everyone and advances the technology steadily.
What happens if you need to protect a service other than HTTP or DNS? Well, these providers fall short at that point. Serving anything else is somewhere between challenging and impossible for most providers, so they simply don’t do it. If you’re trying to service a video game or VoIP, you’ll have to look elsewhere. These are real time services that can’t be cached. Their software is designed to cache content and real time services are really not cache-able. The best way to service these customers is using private interconnect, GRE tunnels, MPLS, or some other form of pseudo wire. There’s a number of cloud providers that provide DDoS protection via these delivery methods, SD-WAN-Experts’s solution one of them. SASE Experts also provides on-premises DDoS protection appliances which can protect clients at their respective data center, but that’s beyond the scope of this article.
So why mitigate and deliver service using Nginx when our solution mitigates differently and delivers using an entirely different mechanism? They do this because it’s easier to become a Wed App Firewall (WAF)-only security provider than it is to become an infrastructure as a service (IaaS) DDoS protection provider. Through years of research and development, SASE Experts’s provider has developed an advanced layer 3-7 DDoS protection infrastructure. They spent years and a small fortune building their backbone. This is time consuming and expensive. There’s probably another half dozen Nginx-based WAF security vendors that are coming up this year! It’s really amazing how powerful this software is.
Performance Nightmare
The challenge is that these cloud providers are really just reverse proxies that have been around for many years. Apache has been able to do this for quite some time and many have taken advantage of it to provide load distribution to farms of backend servers. The cloud providers do put up a web application firewall (WAF) in front of the site, but that’s really it. The complexity and heavy lifting of the DDoS protection is done by the HTTP software. This is dangerously expensive and prone to overload. The software is designed for high performance serving of content, but not for high performance DDoS protection. That’s not their focus so that’s not what they’re good at!
What happens when the customer’s website gets 100 million packets per second of spoofed syn flood? Nginx/Linux with iptables will have a hard time dealing with this. In reality, any platform will have a hard time dealing with this, but it’s much easier to mitigate this DDoS using a more sophisticated and low level approach. Once a packet enters the Linux’s IP stack, quite a number of things happen. By the time it reaches netfilter (iptables), the system has burned up a lot of CPU cycles just to get the packet there. Having syn cookies on helps, but it’s not an end-all. The system may handle 300 thousand packets per second if it’s setup properly. That would mean the cloud vendor needs 333 machines just to handle this attack, let alone all the other legitimate traffic passing through their network. That’s quite a few machines. A similar attack through SASE Experts’s DDoS solution would need about 8 machines.
This is a stark difference in performance. How do we achieve this level of DDoS protection performance? By analyzing the packets outside the operating system! The operating system has quite a few features that we don’t need for what we’re doing. We leverage a proprietary platform to do this so we’re able to look at packets before they touch any operating system hooks and performance impediments. As fast as the operating system may be, it’s performing tons of operations that are simply unnecessary to our environment.
Layer-7 Complexity
By this point, it’s pretty obvious that Layer-3/4 attacks are much better suited to be handled by a raw packet analyzer than an application software. How about application layer DDoS attacks? Would Nginx handle these better than our system? Nginx is certainly more feature-rich than what we have. This is because of the immense development scale it has as open source software. Thousands of people have devoted their time to the project. This makes it quite amazing. That’s why our solution also has an Nginx farm of servers all around the world to provide a last level of protection for our HTTP customers.
Unlike most cloud vendors, SASE Experts’s solution doesn’t depend fully on Nginx for all our application layer DDoS mitigation. This is neither a problem nor a benefit. It’s more of a choice in the customer segment they choose to service. These systems are able to break apart packets before they touch the operating system and look at application-level details to detect attacks, not just for HTTP but for all applications. This makes our system extremely versatile for any attack that’s not HTTP-based. This is important. As I mentioned before, we aren’t limited to just HTTP. We have customers all around the world in nearly every industry so we must provide DDoS protection for all attacks.
This gives us two advantages. First, we can service any industry as we can provide application layer DDoS protection for all attacks. Second, we gain performance advantages by bypassing the operating system. These two key components give us huge advantage in the space and allow us to deploy equipment efficiently and effectively.
Layered Approach
This is a concept that has really come to exist in the last few years due to the invention of new technologies around DDoS protection. Wherein ten years ago, a company looking to mitigate their DDoS attacks would use only one approach, companies today will use a multitude of approaches in serial fashion – this is called layered DDoS protection. For example, one approach would be to have hyperscale cloud-based DDoS protection from a cloud vendor at the forefront of everything, an on-premise hardware appliance performing scrubbing, a stateful firewall device from Palo Alto, an Nginx caching WAF farm, and an Nginx content serving farm. At every layer, systems and software have the opportunity to catch some portion of the attack.
Threat Sharing and Hyperscale Offload
This is a component of DDoS protection that takes the concept of layering and extends it a bit. This concept was SASE Experts’s DDoS partner and as of writing this article, no other provider is doing this to this scale. Our example will use this solution set.
The idea is that if we have on-premises appliances that are either monitoring (Sentry) or mitigating (Shield) traffic for customers at their remote data centers or points of presence, we are generating threat data based on their traffic flow. This threat data is the same threat data that we generate in our cloud using the same appliances. By leveraging this data and performing bi-directional sharing of abstracted meta data (we destroy the original identifying information), our in-the-cloud and on-premises appliances get better and more complete information over time. This is paramount to rapid application layer mitigation. If we’ve already spent the time building a high severity risk score for a particular attack vector and we see the same vector elsewhere in the world, it’s only logical that we block that attack more rapidly. This is exactly how our system operates and is one of the reasons why our DDoS protection has the fastest TTM (time to mitigate) in the industry. This is backed by SLA.
The other advantage of seamless hybrid on-premises to in-the-cloud appliance integration is hyperscale offload. When on-premises appliances reach their DDoS protection limit, or some predefined limit as prescribed by the client, the customer traffic can’t just stop functioning. The customer can’t suddenly buy more DDoS protection capacity or network capacity on a whim. That’s where hyperscale offload comes in. The on-premises appliances dynamically swing the traffic to the cloud, allowing the attack to be mitigated with the generated threat intelligence from the on-premises appliances. This is a key component to how SASE Experts’s security solution operates. The client has an end-to-end complete security solution. Not just a set of boxes.
Summary
So how unique is SASE Experts’s DDoS Mitigation Solution in this space? In pure cloud, all the players look the same from a bird’s eye view. We all mitigate and deliver via some mechanism. Where we differ is in our technology and layering approach. This DDoS mitigation solutions, layers both on-premises appliances and cloud together, providing what we call “hybrid DDoS protection”. This gives us tremendous flexibility and performance advantages. By having multiple layers, clients can leverage on-premises appliances when they need, and offload to the hyperscale DDoS protection cloud when they need. This reduces always-on latency and provides flexible offloading on-demand and automatically. Furthermore, threat sharing and acquisition allow the overall system to perform like one giant worldwide cluster. These are key components to effective DDoS protection. Our ideas in this space seem logical, but are somewhat radical compared to competing vendors. As of writing this article, this approach to DDoS protection is unique in the industry.
Learn more by contacting SASE Experts.
Other postings about DDoS Mitigation:
DDoS Mitigation Solution Differences
DDoS Mitigation Attacks – Important Prevention Tips
