Distributed Denial of Service (DDoS) Protection when Faster is Safer
The other day, I started out to write how performance and throughout of most Application Delivery Controllers (ADCs) and load balancers can be impacted based on which features are enabled in the configuration. For example, most people implement an ADC using basic server load balancing features and functions, such as Server Load Balancing (SLB) least connection algorithm, basic health checking, and High Availability (HA) for example. As they start to become more familiar with the capabilities, admins usually try to add features such as persistence, caching, SSL offload, and Layer 7 inspection. These features have a performance impact due to the additional processing required, for example; compute intensive inspection and encryption. As I was writing this, a headline came up on the news that JP Morgan Chase’s online banking website was hit with a Distributed Denial of Service (DDoS) attack which brought down the site. Read more about that attack from eWeek’s news article where they state a finding from Solutionary, who estimate that “organizations spend as much as $6,500 an hour to recover from DDoS attacks – a number which does not include any lost revenue due to downtime.” So add that to the list of items that can impact performance, not to mention your business!
How a load balancer or ADC handles a DDoS attack can be very different depending on the platform. For example, does it have software based or hardware based DDoS protection? More importantly how long can it handle an attack and still process legitimate requests? I like to use an analogy involving the SR-71 Blackbird. For those of you who are not airplane enthusiasts, the SR-71 was used during the cold war for high altitude reconnaissance. It had no weapons; its only counter measure against an attack was its speed. When fired upon by enemy rockets it would accelerate to a velocity faster than that of the attacking missile. There were over 4000 failed attempts to shoot down the SR-71. So I guess the lesson here is the best defense against DDoS attacks is to have a load balancer with ample speed and performance to handle the features you need along with enough left over to sustain an attack. In light of these recent DDoS attacks I believe the use of the AX Series, with its hardware based DDoS protection could have helped prevent an attack or at least sustained a performance level to continue to service legitimate connections.
So in this case…faster is definitely safer.