Passengers getting off a 20-passenger plane in a remote Chinese city in were greeted by an odd sight: a rack holding a dozen metal buckets. A closer inspection revealed that the buckets were filled with water and the passengers realized they were looking at the airfield’s “firefighting equipment.”
ISPs and data centers facing damaging and costly DDoS attacks may not be in the same quixotic position that firefighters at the Chinese airfield would have faced if a fire had broken out. But the days of IT departments and service providers being able to battle determined hackers with the equivalent of twelve buckets of water are long gone, though many still rely on the out-dated “bucket” protection.
Those responsible for operating and maintaining server networks must always be vigilant and proactive, particularly when it comes to DDoS attack prevention. But if they aren’t able to properly mitigate attacks, either in-house or with remote DDoS protection services, they’re completely missing the boat (or to fit our analogy, the plane). They’re really just filling the buckets on the rack, while neglecting the high-powered water hoses and foam they’ll need in a real emergency.
Here’s how remote network DDoS protection, provided by sophisticated network security professional organizations like Sharktech, fit seamlessly into a modern data center’s attack mitigation plans.
Prevention versus Mitigation
We’ll begin with another analogy. A conscientious homeowner will do everything possible to prevent pests from getting into his house. If a serious infestation does break out, however it’s incumbent on the homeowner to realize when he’s overmatched – and to call in the exterminators.
As we’ve noted in previous articles, well-run ISPs and data centers spend a great deal of time, effort and money to prevent DDoS attacks. Proper configuration of firewalls, routers, load balancers and other defensive systems, constant patching of systems and applications, and rigorous attention to securing vulnerable ports and network holes against malicious packets are among the regular procedures a well-trained IT staff will take on a continuing basis. When done properly, these steps help “prevent pests from getting into the house.”
But most operations are unable to mitigate attacks properly once they begin, because of the number, complexity and sheer size of today’s DDoS blasts. The hardware and software required to effectively filter and scrub malicious traffic, while keeping servers and networks up and running, can easily cost hundreds of thousands of dollars over and above the normal costs of running a data center. That’s an expense most companies simply can’t afford.
And there’s one important difference between our homeowner with the pest infestation and a data center hit by a DDoS. The homeowner can call an exterminator once he discovers the problem, and the additional damage done by the pests until the exterminator goes to work will be minor. Once an ISP discovers that a DDoS is underway, however, it’s way too late to prevent extensive and costly consequences. If a mitigation plan isn’t already in place, those consequences are likely to be disastrous.
How disastrous? Researchers at the Ponemon Institute have found that the typical DDoS attack doesn’t just affect one server. It shuts down the entire data center in about one-third of instances and part of the data center almost 50% of the time, with those outages lasting an average of nine hours. And the average cost of a DDoS attack has been estimated at approximately $40,000 per hour – with major corporations saying a major blast can cost them ten times that amount.
So any data center or ISP without extensive traffic monitoring, filtering and scrubbing systems is taking an enormous risk. Thankfully, it’s simple for them to “outsource” that task at a fraction of the cost of building an in-house operation.
How Data Centers and ISPs Can Adopt Remote Network DDoS Protection
Ready for one more tortured analogy? When your child has the flu, you keep her home from school so she’s kept far away from other kids who could easily be infected. And when malicious DDoS traffic starts arriving at a data center or ISP, your first reaction should be to keep that traffic as far away from your infrastructure as possible. That’s a major benefit of proactively engaging the remote DDoS protection services provided by top-tier companies like Sharktech.
As soon as an attack is detected, BGP and/or Anycast technology is utilized to immediately route all worldwide inbound traffic away from your ISP or data center, sending it instead into the Sharktech scrubbing cloud. This immediately preserves the integrity and uptime of your servers, while the traffic is being profiled and identified as legitimate, suspicious or malicious.
Legitimate traffic is immediately sent back to the data center or ISP through extremely-fast GRE tunnels so it can be served with virtually no lag. Questionable or malicious traffic is kept in the cloud and further examined, with the scrubbing system instituting all necessary rule-sets and bans to prevent “bad” traffic from reaching its destination and doing its intended damage. And all clients benefit from the information base built by the scrubbing system.
The bottom line is that the DDoS attack is quickly mitigated. Your servers aren’t taken down – they function as usual to serve real visitors and customers while malicious traffic is sent far, far away where it can’t do any damage. The service is nearly instantaneous once it’s activated, and it’s supervised and supported 24 hours a day by experienced Internet security professionals and DDoS experts.
Sharktech and similar companies take this system even a step further; it not only can be used as an “insurance policy” and activated as soon as an attack begins, but it can be “always on” to scrub all traffic (or certain types of traffic) on a continuous basis. The latter approach is more expensive, of course, but is the greatest DDoS mitigation security blanket any data center or ISP could ever want.
There is no special hardware required for a service provider or data center to utilize remote network DDoS protection; it’s simply a matter of network configuration. And Sharktech’s scrubbing services are priced “per attack” with no setup costs. No matter how virulent a DDoS attack is or how long it lasts, clients are fully covered for one flat fee.
DDoS attacks continue to increase at a mind-boggling rate; Verisign reports that the number of known incidents increased 111% from the first quarter of 2015 to the first quarter of 2016. And those responsible for protecting their server installations and networks can no longer rely on the IT equivalent of “buckets of water,” nor can they simply “call the exterminator” once they’ve discovered they have a serious problem.
Rigorous in-house DDoS prevention strategies, combined with the use of remote network DDoS protection services, comprise the two-scale approach required in the face of the ever-increasing threat these attacks pose to companies’ operations and their bottom lines