One of the most common questions we receive about DDoS mitigation solutions is “how does your solution differ from company xyz?”. This is a pretty loaded question. On the one hand, we want to be unbiased and give you a comprehensive and honest answer. We want to empower you with the right information so you can make an informed decision. Each company is different and because we service both the hardware appliance and the cloud mitigation space, the question becomes a bit more complicated to answer.
In essence, we have two types of DDoS mitigation solutions– hardware and cloud. In the cloud, we have two types – providers that mitigate everything and those that only do websites as a CDN. In hardware, we have two general types as well – those that tap raw data and those that utilize flow samples. So how does our solution we differ from others? Is there an ideal solution? What works best? In part 1 (this article), I’ll discuss the different hardware approaches. In part 2, I’ll discuss the different cloud approaches.
No single DDoS mitigation solution is ideal for every customer environment. Because there’s a variety of ways to service DDoS mitigation, a multitude of approaches can be layered together in a unique fashion that services a particular customer’s specific needs effectively. While some customer may need on-premises appliances, another may need cloud, and another may need SSL termination and acceleration. At the end of the day, what matters is delivering uptime in the face of overwhelming attacks.
DDoS Mitigation Using Flow Data – The Problem
Flow is the consecutive sampling of network data traffic in pre-determined chunks. The concept of flow, for example sFlow or Cisco’s Netflow allow routers to abstract network traffic to a flow collector. The flow collector then projects that data to the entire sample space, thereby providing what it believes to be an approximate representation of the network.
Flow collection works great when your data set is deterministic. If you have a great deal of web traffic for example, tcp packets coming and going from port 80, and you sample 1 out of 2048 packets, you have a high probability of producing accurate results. You’ll know that the majority of your traffic is web. However, if you happen to have some FTP or Mail in the mix, there’s a chance it will get lost. This is the folly of flow analysis.
If your traffic is not predictable, it will not produce accurate results very quickly. It takes quite a bit of time for the anamoly traffic to show up in the flow analysis. Furthermore, flow analysis does not allow for accurate representation of Layer-7 application data in network traffic. This means that application layer DDoS mitigation using flow analysis is nearly impossible!
The advantage is of course CPU usage. Flow analysis is remarkably inexpensive to perform because of the limited processing required. For appliances that focus on flow analysis, their CPU need not be very powerful for the flow analysis. This theoretically makes them cheaper. Though in practice, they’re cheaper to produce for the manufacturer, but seemingly not cheap to acquire!
Tap That Data
SD-WAN-Experts’s DDoS Mitigation solution does not use flow because the advantages are far outweighed by the disadvantage. Our appliances that are tap based. Our appliances look at every packet, every time. This gives us tremendous visibility into network traffic and more importantly, Layer-7 data. Our appliances are in essence, a high performance IDPS (Intrusion Detection and Protection System) with an inline line-rate firewall.
This is a novel approach to DDoS mitigation. This means that our SecureSentry monitoring and SecureShield mitigation appliances are actually analyzing every single bit of data that runs through them. That’s the secret behind our key competitive advantages.
- Fastest time to mitigate (TTM) in the industry, backed by the best SLA in the industry.
- Fastest time to rtbh (TTRTBH) in the industry.
- Affordable Monthly Charge model for our appliances with no annual maintenance fee or hidden charges.
- Comprehensive Layer-7 (application) mitigation included for no additional cost.
Intel vs. ASIC
This is a little misleading. SASE Experts’s DDos mitigation solution leverages Intel processors exclusively for our large scale data processing. By programming software to leverage the various hardware acceleration features of the Intel processor, our solution is able to get amazing price to performance. Our software runs super fast while leveraging commodity hardware. This is a key reason why we’re able to scale our system so quickly and efficiently. Many appliance manufacturers will use ASICs extensively. This is great, but it also increases the price of the appliances significantly. Why spend money on depreciating hardware versus more affordable commodity hardware?
Intel is the largest producer of commodity processors in the world. They have the biggest budget and they serve to gain the most by producing better manufacturing technology. This often leads to better fabrication process which allows the transistors to be closer together than anyone else’s. This doesn’t directly define performance, but it does mean they get more transistors in the same space as other processors. This means they can get a lot more features into the same space. This makes them great for multi-purpose environments, which is why they service this sector so well.
By leveraging Intel CPUs, you get a few benefits:
- Rapidly improving CPU technology.
- Ability to upgrade CPUs easily.
- Inexpensive dollar for performance ratio.
For example, we upgraded from E5v1 to E5v2, and are now going to E5v3 processors. The latest generation processors have up to 18 cores at 2.3 GHz each (E5-2699). This is mind-boggling performance. Considering we can inexpensively put two of these CPUs into one chassis, and can easily fit 4 chassis into a single 2U machine. That gives us 72 cores per 1U of space in a rack. Often, we’re able to upgrade between CPU revisions without changing motherboards. This gives us great flexibility and reduces the cost of upgrading our security platform.
So why would not go with ASICs? I didn’t say that! I think ASICs serve their role. For example, SSL 10248/2048 bit processing on Intel is notoriously slow. You wouldn’t use Intel for this as it would not make sense. We wouldn’t perform large sets of similar checks in Intel either as a GPU would perform better for that. There’s a great deal of specific processing that can get done in ASIC far more efficiently than Intel. What we leverage Intel for is the majority of our general data processing. Many of the features that make our system unique are performed on Intel.
Grow Baby Grow
Our DDoS mitigation solution is tap based. It uses commodity CPUs. How does it perform so much mitigation? How come other manufacturers of DDoS solutions have limits at 10Gbps, 20Gbps, or 40Gbps?
Our appliances scale horizontally. Our current shield inline mitigation appliance can clean 10Gbps while our monitoring sentry can read through 20Gbps at 1/2U. When you scale them horizontally, you can achieve nearly limitless scalability. Right now, we have scaled to 160Gbps per PoP. We can easily scale to more if necessary. Furthermore, the individual performance of each appliance is expanding to allow for 40Gbps monitoring and 20Gbps mitigation. With better hardware, we could easily reach 80Gbps of mitigation and 160Gbps of monitoring per 1U. We don’t see a need for this as the price for CPUs dramatically jumps at that point.
Know Your Enemies
When appliances within a PoP share data, what prevents them from sharing data with appliances in other geographic regions? Nothing! So what’s the advantage? Threat sharing. Knowing what threats have already been handled in other regions and customer deployments allows each appliance in the global network be individually smarter. The system leverages group data and a pseudo-global clustering to improve the TTM of each individual appliance. If we see an attack in Los Angeles, and we see the same attack in Amsterdam, we know to block it far faster in Amsterdam. We don’t need to profile it as long. The same benefit can be extended to customers with our appliances. Their single appliance can benefit from the global intelligence of our entire cloud.
By this point, you’re probably thinking about information security policies and the potential for data leak. This is a very valid concern. That’s why only meta-information and abstracted data i stored with no identifying information for the purposes of state distribution. Original data content is detonated upon processing. There are also specific policies around data sharing that can be configured. For example, a financial institution may opt to only receive state data, but not submit state data. Our systems can be configured for an infinite number of arbitrary configuration settings.
Hyperscale Offload
This sounds really cool. All it means is that when an appliances hits their limit on premise, they can trigger automatic cloud activation. This is important as most networks lack large enough capacity for the largest attacks. It can also get super expensive to buy enough appliances to mitigate every attack. Networks may opt to offload to the cloud after 20-40Gbps to avoid buying many expensive appliances. Hyperscale cloud offload gives the flexibility of low-latency on-premises mitigation, while extending the cloud as backup in case of large attacks. It’s a best-of-both worlds approach: Hybrid DDoS Mitigation. I believe Juniper, Arbor, and Radware all have appliances that dynamically offload to the cloud. They’re all multi-vendor whereas our DDoS mitigation solution performs all aspects under one code base, making maintenance far simpler.
Summary
So how different is our DDoS mitigation solution? As of this writing, our technology is fairly different from the other players in the space. Our solution processes data differently using taps rather than flows, use commodity CPUs, and look at the problem of DDoS largely from a scale perspective rather than buying big boxes. The idea is to produce the most efficient hardware that works for our clients’ networks without necessarily having to be a massive appliance, providing a cost-effective and reliable way to take care of their DDoS traffic.
We’ll cover cloud mitigation next, and the amazing capacity that cloud network DDoS solutions can provide both in terms of power and simplicity.
