“DDoS protection?” we hear you say. “Isn’t that included when I pay those enormous hosting bills every month?” Or “Isn’t that why I pay those huge IT department bills and salaries?”
Well, sort of. But the hard truths are that hackers and attackers are far more sophisticated than they used to be, and battling the types and scales of DDoS attacks commonly seen today requires a lot more than “traditional” data center approaches to traffic scrubbing.
The Difficulty of Fighting DDoS Attacks
The average DDoS now hits nearly 7Gbps and lasts for six to 24 hours, a volume and duration very few service providers or IT departments can handle. And the “largest” volumetric DDoS in history, as of this writing, topped 600 Gbps in bandwidth – a level nearly impossible to comprehend. Add to that the more advanced protocol and level-7 attacks that are becoming more common and are harder to defend against, and your monthly spending doesn’t come close to providing you with the full protection you need.
You shouldn’t convince yourself that technology will eventually catch up with the bad guys to make DDoSing a thing of the past, either. Not only are attacks increasing in size and number every year, but those with malicious intent (for whatever reason) can easily find plenty of online hackers willing to launch a DDoS for them for less than $200.
Fighting off DDoS attacks in the modern environment is so difficult that it could cost hundreds of thousands (or even millions) of dollars to purchase all of the necessary hardware, software and networking equipment, and that doesn’t count the highly-paid expert and experienced IT staffers familiar with effective DDoS mitigation techniques.
It’s true that very large companies operating their own data centers could theoretically justify those types of costs. After all, studies show that the average DDoS attack often costs a large company $500,000 or more in lost revenue, not to mention the long-lasting damage to customer trust, ancillary expenses for IT consultants and lawyers, and the possible compromise or loss of company and client data.
However, there’s a more efficient and cost-effective way to approach the problem: combining your own in-house or ISP’s DDoS prevention and monitoring techniques with remote network DDoS protection, provided by experienced professionals like the ones at Sharktech.
How Remote Network DDoS Protection Works
Remote DDoS protection works by having “protective middlemen” between a server’s incoming traffic and the network infrastructure. At the first sign of a DDoS attack, all traffic is diverted to remote computers on the cloud acting as those “middlemen” – far away from the server and its network. The traffic is profiled, categorized and scrubbed, and legitimate visitors are then sent right back to the server for website access while the malicious traffic is never allowed anywhere near your infrastructure. The process is lightning-fast so there’s no noticeable lag for the “clean” traffic, and there’s no service interruption or server downtime.
Just as impressive is the fact that this is a smart system able to provide long-term protection. The intelligent scrubbing software learns in real-time as it profiles traffic, instituting new IP bans and rule-sets to permanently deny access to malicious traffic. It also protects all clients against the bad traffic that’s been faced by any client under DDoS attack. And if the system is run by top-level personnel like the ones at Sharktech, custom solutions are implemented to protect against the zero-day attacks that most DDoS protection schemes can’t handle.
The scrubbing can be configured so that it’s either always on, only diverts questionable traffic, or just kicks in at the start of an actual attack. That allows each client to decide whether they desire proactive and constant remote DDoS remote protection (which naturally is more expensive), or simply want to utilize the service when an attack has begun. Pricing is determined according to a client’s needs, but the best remote network DDoS protection services charge flat rates, rather than charging by the size or duration of each attack. Once the system is engaged, it works to divert and scrub traffic for as long as necessary.
The effectiveness of any solution is largely dependent on its use of the most modern technology available, and Sharktech’s approach to remote network DDoS protection relies on state-of-the-art BGP, GRE and Anycast systems.
- BGP (Border Gateway Protocol) is a dynamic protocol which deals with Internet routing, and is commonly used to help direct traffic via network backbones by the most efficient path from origin to destination. When an attack begins, it is able to immediately announce the diversion of all traffic headed for a DDoS target to the cloud scrubbing center, so all incoming traffic can be cleared before being sent on to the destination.
- Anycast is the system that allows a number of servers to share the same IP address, and is widely used to allow the use of data centers in multiple locations. It is also effective at absorbing the initial brunt of a DDoS attack by distributing traffic evenly, and then ensuring that DDoS traffic is all sent to the scrubbing center.
- GRE (Genetic Route Encapsulation) tunnels are a method of point-to-point traffic transfer between two networks, whether or not they are using compatible protocols. In other words, they’re the fastest way to route scrubbed traffic from the cloud back to any destination server so that there’s no noticeable lag time for website users.
A Coordinated Strategy for DDoS Protection
Using remote DDoS Network Protection isn’t a “one-stop shop” for preventing and mitigating DDoS attacks. Your ISP or data center must be constantly proactive by regularly installing patches and upgrades, properly configuring firewalls, load balancers and other protection tools, closing all obvious network holes (for example, blocking ICMP, denying UDP port 53 packets and dropping junk packets) and constantly monitoring network flow for suspicious traffic behavior, whether that’s done by techs or an automated solution.
But when the time comes (and unfortunately, it’s nearly inevitable) that you’re targeted, remote DDoS network protection is a crucial mitigation tool to make sure your network stays up and available.
If your ISP or data center doesn’t currently use remote DDoS protection, it should. We’ll take a look at how it can be implemented in our final installment.
Sharktech is a private company founded in 2003 by CEO and DDoS Protection Pioneer Tim Timrawi. The company has more than 25 employees throughout its headquarters in Las Vegas, Nevada, and data center facilities in Los Angeles, CA, Denver, CO, Chicago, IL, and Amsterdam, Netherlands.