For Enterprise DDoS Defense, Cloud Alone Just Doesn’t Cut It

For Enterprise DDoS Defense, Cloud Alone Just Doesn't Cut It

Enterprises face a dilemma when it comes to defense against today’s modern DDoS attacks: trust the surgical precision of an on-premise DDoS protection solution or go with a DDoS cloud scrubbing solution.

Why choose?  Why not get the best of both worlds and go with a full spectrum hybrid DDoS defense solution that combines both? That way, you get the power of the cloud along with the context-aware on-premise protection needed to battle sophisticated DDoS attacks.

Cloud Alone is Not Enough

When it comes to enterprise DDoS protection, cloud scrubbing is a solid option, but it’s not a panacea.

Cloud scrubbing and clean pipe services are critical when attacks grow past your internet capacity. But such services only achieve partial DDoS resilience. Why? Because enterprises must also defend their value-generating applications and availability for valid users. (Isn’t that the whole value prop of a DDoS defense solution? Maintaining application availability while thwarting DDoS attacks?) Distinguishing which accesses are valid and which are initiated as part of slower, but equally deadly, network or application resource exhaustion attack requires contextual awareness of the unique characteristics of on-premise network, application and normal user behavior.

Cloud scrubbing is incredibly effective when attack volumes exceed the capacity of an enterprise’s internet pipe, and enterprises must compliment their solution to defend against application and slow and low attacks, especially when IT managers say 75 percent of the attacks they see target specific network and application elements of their infrastructure.

At the same time, cloud scrubbing traffic swings can be disruptive and costly. More than three-quarters (77 percent) of attacks peak at 10 Gbps or less and nearly half of all attack volumes are less than 1 Gbps. These most common attack sizes are best deflected by an always-on on-premise solution.

DDoS attacks are largely brute-force, but DDoS defenses must be precise, with the ability to intelligently distinguish legitimate users. Strategies like Remote Triggered Black Hole (RTBH), and service rate limiting, which are commonly used in cloud-based mitigation, leave a wake of collateral damage against legitimate users in the form of false positives and false negatives.

A10’s Full Spectrum Hybrid DDoS Protection

Our full spectrum enterprise hybrid protection defends against DDoS attacks of all types and sizes that threaten your network, your revenue and your reputation

Our hybrid DDoS solution combines the power of the recently-launched  A10 DDoS Protection Cloud, an on-demand cloud DDoS scrubbing solution that gives our customers full spectrum DDoS protection with the precise, surgical defense of our on-premise Thunder TPS solutions.

This hybrid approach offers precision protection against all DDoS attack strategies such as volumetric, network-based, application layer, slow and low attacks and attacks missed by cloud scrubbing services.

A10 DDoS Protection Cloud delivers cloud-scale hybrid DDoS protection against volumetric attacks that exceed your enterprise’s internet bandwidth, while Thunder TPS provides on-premise DDoS defense to minimize false events with source-based mitigation; protect enterprise personnel and customers; and enforce protection via A10 Threat Intelligence Service and more than 27 traffic behavior indicators to increase mitigation accuracy.

The powerful hybrid solution also delivers automated policy-based mitigation escalation making frontline defenders more effective. DDoS Protection Cloud is orchestrated by our team of DDoS specialists, the A10 DDoS Security Incident Response Team (DSIRT), which redirects traffic to the cloud when an attack swells to threaten an enterprises total internet bandwidth.

And A10 Cloud DDoS Protection is cost-effective. The service is designed to protect legitimate traffic, not the amount of traffic that attacks apply, meaning you’re only charged for the protected traffic and the number of times cloud-scale scrubbing is required. And because Thunder TPS deflects all attacks that fall under your on-premises internet bandwidth, our two-pronged defense is the most surgically effective and economical full spectrum hybrid DDoS solution on the market.

The result: complete hybrid DDoS protection.


Donald Shin
March 6, 2018

About Donald Shin

Don has over 15 years of experience in the Networking and Security industries. Prior to A10, Don work in a variety of roles in R&D, product management, and marketing focused on network security, security efficacy testing, semiconductors and Cloud security.  He is passionate about helping customer's improve their security posture and speaks frequently at security conferences. READ MORE