In-line or out-of-path (on-demand) DDoS protection mode
Networking and security have always been at odds. On a fundamental level, the goal of the networking group is to move the good packets from one host to the next, the security group’s job is to stop the bad one from getting to the next host. And between these two ideals lies an efficient and secure network. Getting to optimal medium is often a challenge.
Managing network security and performance often feels like a balancing act. It’s a matter of risk calculation to find out whats the best protection method to protect your IP subnets and/or application. Ofcourse, it’s the best to configure the security layer in detail to its IP/application goals. But in some situations, the goals are unknown upfront or just unclear. For example, when you are a hosting company and protecting unmanaged servers of your clients where you do not know what your client is hosting or when you providing internet access services to your clients and you do not know what kind of services your clients will access, your protection needs will be totally different than securing your own managed hosted IP application.
There are two protection scenarios: in-line and out-of-path (on-demand). In general, the best way is to use in-line protection if you can. But roughly we can say that for 20% of the people out-of path protection will be better. It have some pros and cons, let’s see which fit’s you best.
Haitham Moghrabi
1st line NOC support
___________________________________________________________________________________________________________________________________________
In-line DDoS protection
Using in-line DDoS protection is the most simple way to use an external DDoS protection layer above your own infrastructure. IP subnet is enabled by hand or API and all incoming traffic to it will pass through the protection cloud while the outgoing traffic is never routed to IP protection cloud. All traffic will be inspected and all dirty traffic will be mitigated.
Advantages:
- Fast detection.
- Fast mitigation of a DDoS attack.
- No network hiccups from the start of a DDoS attack.
- Ability to use learning mechanism to adjust automatically protection configuration.
- Protect non-volume DDoS attacks.
- Be able to use real Layer 7 security services, for example, 302/capcha.
- Be able to use others services like Badbot blocking and Web Application Firewalling.
- No need for extra hardware like flow analyzers and BGP tools.
Disadvantages:
- A higher chance of false positives by abnormal IP usage by the protected IP.
- A little bit of more latency.
___________________________________________________________________________________________________________________________________________
Out of path (on demand) DDoS protection
Enable or disabling IP subnets for protection can be performed by the Serverius control panel or API. Acting manually, in some cases,, will not be a solution because humans will be too late and do not have the knowledge like machine learning will have. Therefore in out of path solutions, a flow analyzer with BGP injection capabilities are needed to automate DDoS protection. Based on router flows it need to detect, enable the attacked IP into the cloud and change BGP routing in a way that the incoming data traffic of an IP /24 subnets will go by the protection cloud and only the /32 which is under attack will be filtered.
Advantages:
- Usable for protection against only volume attacks. Usable for unmanaged clients hosting services and internet access providers.
- No extra latency in un-attack mode (because traffic will not be inspected).
- Lower risk of false positive during detection.
Disadvantages:
- Slow detection.
- Mitigation will take time because after a DDoS attack happens the BGP needs to be announced and IP’s are added to the protection.
The result will be network hiccups from the start of a DDoS attack up to the attack is mitigated. - No learning mode mechanism to adjust protection configuration automatically.
- Only for volume DDoS attacks. No slow Layer 7 security services are possible.
- Not able to use others services like Badbot blocking and Web Application Firewalling.
- The need for extra hardware like flow analyzers and BGP tools to detect and enable protection.
___________________________________________________________________________________________________________________________________________
The optimal solution always depends on the kind of service that should be protected. In some cases, It is easy to consider but in others, deep considerations should be
taken into account to balance the performance and the protection as far as possible.