Download Service Brief – Customer Premise vs Network Based DDoS

Customer Premise vs Network Based DDoS Defense Solutions
What is a Customer Premise DDOS Defense Solution?
A Customer Premise solution is defined as deployment of DDOS defense equipment
beyond the SP WAN egress demarcation point. These solutions may either be within colocation space at an IDC or physically on the customer premises.
What is a Network Based DDOS Defense Solution?
A Network Based DDOS solution is defined as deployment of DDOS defense equipment
within the SP network. Traffic cleaning occurs prior to customer last mile hand-off.
What are the challenges associated with Customer Premise DDOS
Defense Solutions?
There are two main challenges associated with Customer Premise DDOS Defense
Solution:
1. WAN Bandwidth Sizing:
Today, typical attacks are high in bandwidth and can easily scale to a several Gbps.
These DDoS bandwidth attacks consume resources such as network bandwidth or
equipment by overwhelming one or the other (or both) with a high volume of packets.
While there is no single profile of a DDOS attack, many bandwidth attacks have been
reported in the 1 to 3 Gbps range with hundreds of thousands of zombies or clients
targeting e-business Internet accessible resources.
DDoS and Day Zero attacks, however, are exponentially growing in both frequency
and in magnitude. DDoS attacks will continue to grow in scale and severity thanks to
increasingly powerful (and readily available) attack tools, the Internet’s multiple points
of vulnerability, and business’ increasing dependence on the Internet.
Since traffic cleaning occurs on the customer premises, the Customer Premise DDOS
defense solution requires the WAN pipe be sized to support both legitimate and attack
traffic. The customer is now responsible for estimating required current and future
bandwidth in a rapidly changing environment. An error in estimating required
bandwidth will render the DDOS Defense solution ineffective and exposes critical ecommerce resources to impacted or unavailable.
2. Disaster Planning One Time / Recurring costs.
In order to have on-premises mitigation, the customer must contract for the full
expected burstable rate when under attack. Depending on a company’s risk profile,
they may choose to contract for 2X to 4X the bandwidth required for legitimate
traffic. This bandwidth requirement makes the on-premise solution extremely
expensive particularly when compared to an upstream managed service.
Further, many e-business corporations deploy critical e-business resources in diverse
physical locations for both load balancing and disaster recovery. To ensure the
efficacy of these resources, WAN bandwidth to support both legitimate and attack
traffic, DDOS defense equipment and any underlying switches and routers will be
required to replicated at each critical site.
What are the benefits of a Network Based DDOS Defense Solution?
Network based DDoS defense allows businesses to benefit from the Service
Provider’s underlying network capacity. Attacks are mitigated in the network.
Customers purchase only bandwidth required for legitimate transactions; network
integrity is preserved without customer bandwidth overprovisioning.
Further, since DDOS defense solutions are deployed within the network,
corporations avoid incremental costs with replicating the solution across multiple
ecommerce locations or data centers.