Home / Blogs

Can Hybrid DDoS Mitigation Stop Large Application Layer Attacks?

We recently received an email from a customer asking about hybrid DDoS mitigation and its ability to stop large application layer attacks.

Here’s the truth: Hybrid DDoS mitigation works and can stop large application layer attacks. Hybrid DDoS mitigation typically involves a purpose-built DDoS mitigation appliance or software on dedicated hardware that sits immediately in front of or behind an enterprise’s edge router. This type of mitigation is great at stopping low and slow attacks, small probing attacks, and many application-layer attacks on premise.

The local DDoS mitigation appliance can even stop larger volumetric or application layer attacks if an enterprise has large Internet access pipes, a lot of overhead on those pipes, and a DDoS mitigation appliance with high throughput and mitigation capacity. When the local appliance or Internet capacity are nearing a circuit, bits per second, or packets per second threshold, traffic destined for the attacked resource can be redirected to the cloud-based DDoS mitigation hardware that is part of the hybrid solution.

Better hybrid solutions share state and mitigation information between the local appliance and the cloud-based platform. Many of those hybrid solutions allow both learned and manually-set thresholds for failover from local to cloud-based mitigation. This failover can be manually triggered or fully automated to provide a seamless, proactive experience. The best hybrid solutions offer a full set of layer 3 through 7 countermeasures on the local mitigation appliance that are comparable to the countermeasures in the much higher capacity cloud-based platform.

Intelligent, application-layer DDoS attacks (such as HTTP GETs targeting specific objects on a webpage and designed to bog down a web server) are getting larger—even approaching 10Gbps, while we have seen larger volumetric (layer 3 / 4) DDoS attacks even 400Gbps or higher for several years. Application-layer attacks generally require more granular countermeasures and greater expertise to mitigate, and will drive CPU utilization higher on the targeted system or attempt to saturate the connections per second.

Publicizing that a hybrid DDoS mitigation solution could not deal with a larger application-layer attack makes a couple of faulty assumptions about the nature of Internet protocols and the OSI model (Open Systems Interconnection framework that characterizes the nature of protocol interactions).

Take, for example, a very large HTTP GET application-layer attack. Most DDoS attacks can be mitigated in a number of different ways based on preset thresholds or tuned countermeasures. The mitigation tool or countermeasure chosen depends both on the nature of the attack and the nature of the enterprise’s normal traffic. The local DDoS mitigation appliance in a hybrid scenario can mitigate before or after the session is established, up to its scrubbing throughput or local Internet capacity. Any assertion that a DDoS mitigation appliance can only mitigate an established TCP session is therefore false. SYN reset or SYN authentication could be performed in a variety of different ways. HTTP traffic does not need to be mitigated at layer 7. It could be mitigated at layer 4.

In short, hybrid DDoS mitigation does work. And like everything else, it functions best when done properly.

By Bryant Rump, IP Applications and Security Professional

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global