We recently received an email from a customer asking about hybrid DDoS mitigation and its ability to stop large application layer attacks.

Here’s the truth: Hybrid DDoS mitigation works and can stop large application layer attacks. Hybrid DDoS mitigation typically involves a purpose-built DDoS mitigation appliance or software on dedicated hardware that sits immediately in front of or behind an enterprise’s edge router. This type of mitigation is great at stopping low and slow attacks, small probing attacks, and many application-layer attacks on premise.

The local DDoS mitigation appliance can even stop larger volumetric or application layer attacks if an enterprise has large Internet access pipes, a lot of overhead on those pipes, and a DDoS mitigation appliance with high throughput and mitigation capacity. When the local appliance or Internet capacity are nearing a circuit, bits per second, or packets per second threshold, traffic destined for the attacked resource can be redirected to the cloud-based DDoS mitigation hardware that is part of the hybrid solution.

Better hybrid solutions share state and mitigation information between the local appliance and the cloud-based platform. Many of those hybrid solutions allow both learned and manually-set thresholds for failover from local to cloud-based mitigation. This failover can be manually triggered or fully automated to provide a seamless, proactive experience. The best hybrid solutions offer a full set of layer 3 through 7 countermeasures on the local mitigation appliance that are comparable to the countermeasures in the much higher capacity cloud-based platform.

Intelligent, application-layer DDoS attacks (such as HTTP GETs targeting specific objects on a webpage and designed to bog down a web server) are getting larger—even approaching 10Gbps, while we have seen larger volumetric (layer 3 / 4) DDoS attacks even 400Gbps or higher for several years. Application-layer attacks generally require more granular countermeasures and greater expertise to mitigate, and will drive CPU utilization higher on the targeted system or attempt to saturate the connections per second.

Publicizing that a hybrid DDoS mitigation solution could not deal with a larger application-layer attack makes a couple of faulty assumptions about the nature of Internet protocols and the OSI model (Open Systems Interconnection framework that characterizes the nature of protocol interactions).

Take, for example, a very large HTTP GET application-layer attack. Most DDoS attacks can be mitigated in a number of different ways based on preset thresholds or tuned countermeasures. The mitigation tool or countermeasure chosen depends both on the nature of the attack and the nature of the enterprise’s normal traffic. The local DDoS mitigation appliance in a hybrid scenario can mitigate before or after the session is established, up to its scrubbing throughput or local Internet capacity. Any assertion that a DDoS mitigation appliance can only mitigate an established TCP session is therefore false. SYN reset or SYN authentication could be performed in a variety of different ways. HTTP traffic does not need to be mitigated at layer 7. It could be mitigated at layer 4.

In short, hybrid DDoS mitigation does work. And like everything else, it functions best when done properly.