One Size Fits None: How to Stop DDoS Attacks with the Right Type of Protection

As anyone who has ever had a younger sibling cover them during a neighborhood snowball fight knows, all protection is not created equal. This is especially true when it comes to protection against DDoS attacks. What might be okay for one website might be a disaster for another, and such as in the case of little Todd vs. the rest of the street, some types of protection just won’t cut it for anyone.

But first, the basics

A DDoS attack is a distributed denial of service attack. It makes use of a botnet, which is a collection of infected devices such as computers and tablets used by an attacker to direct a large amount of malicious traffic at a target website in order to overwhelm the target’s bandwidth or network resources and either take it offline or render it otherwise unusable.

An unusable website is a terrible thing for obvious reasons: it frustrates users, and when it becomes public knowledge that a DDoS attack was behind the outage, can cause a loss of trust in those users. But it can also have not so obvious consequences, like hardware damage and software damage. An attack may also be used as a smokescreen for an intrusion that results in the theft of confidential data.



Three types of protection

The most crucial step you can take to protect your website is one you take before the malicious traffic on your website ever starts to ramp up and your resources start to strain. There are three main types of DDoS protection, and finding and investing in the right one is essential according to DDoS mitigation services provider Incapsula’s short guide on how to stop DDoS attacks. Start with the right type of protection, and end with zero successful DDoS attacks.

The first type of distributed denial of service protection is do-it-yourself, which is exactly what it sounds like. DIY protection typically relies on using mod_evasive on your server to set static traffic thresholds and setting up IP blacklists.

The second type of DDoS protection is on-premise, which is protection that consists of hardware appliances placed in front of protected servers and deployed inside of a network. On-premise protection is so named because the protection appliances are literally on the premises. They therefore, require the initial investment in hardware as well as investment in security personnel to run it.

The third type of DDoS protection is off-premise, which are solutions that are cloud-based. The hardware involved in these solutions do not belong to the company and are, as you would imagine, located off-premise and don’t require the investment on-premise solutions do. These are managed services and also don’t require hired security personnel.



Finding the right fit

If three options sound like a lot to choose from, you can relax knowing that you should probably rule one out right away. DIY distributed denial of service protection is the little Todd of the group and should only be considered if it’s either DIY or nothing. The major benefit of doing it yourself is that it’s cheaper than either of the other two options. However, the drawbacks are striking.

Firstly, DIY protection is reactive in nature, and you can only change a configuration to block an attack once the attack has hit, and if the attackers modify their methods you’ll be stuck playing catch-up. Lastly, DIY solutions almost never have enough network bandwidth to be effective against network layer attacks.

On-premise protection is, of course, a major step up from DIY. It is generally excellent at traffic filtering, which makes it a good option for protecting against application layer attacks. However, as with DIY protection, they tend to fail when it comes to network layer attacks due to bandwidth limitations, though this can be overcome by supplementing with cloud-based protection. On-premise protection also requires manual deployment, which can waste valuable time.

The biggest drawback of on-premise protection is its price tag. Both the hardware and the personnel who run it are expensive. Unless your industry demands on-premise protection, it probably isn’t the best option.

Off-premise or cloud-based solutions are as close as it gets to one size fits all DDoS protection. They stop both application and network layer attacks, are infinitely scalable, and are much more cost efficient than on-premise solutions as they do not require the purchase of hardware or the hiring of personnel. Furthermore, premium cloud-based protection providers offer both on-demand and always-on options to help meet the time to deployment needs of a wide range of websites and companies.

The good old days

While some protection is admittedly better than none, having the wrong type of distributed denial of service protection will have you longing for the good old days when you were rolling in a yard getting pounded by snowballs. For most websites, having the right protection will mean looking to the cloud, but it’s imperative you know your budget, your industry and your needs before you make any decisions.