While ISP-based DDoS mitigation services appear to be simple and natural solutions to protecting your Internet circuits, disadvantages include insufficient scale, less security expertise and response, and the inability to protect against attacks arriving over networks belonging to multiple ISPs.
In other words don’t expect your ISP to protect you when you are DDoS’d. Indeed what you will probably find is that your ISP simply Black Holes any traffic destined for your IP address range.
What is Blackholing ? Blackholing is a common defense strategy used by Internet Service Providers (ISP) to stop DDoS attacks by blocking incoming traffic and redirecting it into a “black hole” or null route.
Are you comfortable with the possibility of legitimate traffic being black holed when under DDoS attack?
ISPs typically do not have sufficient network capacity to protect against large DDoS attacks, often protecting only up to 20 Gbps while black-holing larger attacks. Akamai has successfully mitigated a 321 Gbps attack and regularly mitigates attacks over 100 Gbps. Ask your ISP what capacity level they could protect you against ? Do they provide any SLA ?
Does your ISP have the expertise to protect your business from sophisticated and multi vectored DDoS attacks?
ISP-based solutions typically have limited in-house security expertise and tools that can be challenged to respond to sustained and sophisticated attacks that shift over time. Mitigating 40 to 50 attacks every week, Akamai’s SOC has the experience and expertise to quickly mitigate attacks as well as adapt to changing attack vectors over time.
How comfortable are you in managing DDoS arrangements with multiple ISP’s?
Many organisations purchase Internet connectivity from multiple ISPs, requiring them to also purchase a different DDoS mitigation solution for each. Multiple contracts are difficult to manage, and ISPs rarely work together to mitigate attacks. With Akamai, organisations can easily protect all of their Internet bandwidth through a single solution.
Can your ISP-based DDoS solution protect against web application attacks like SQLi, XSS, and RFI?
DDoS is only part of the threat – many attackers blend vectors and use DDoS to distract attention from data theft. With an ISP-based solution, organisations must still purchase a separate WAF solution. With Kona Site Defender, organisations can deploy a single solution that protects their web applications against both DDoS and web application attacks.
ISP DDoS solutions are easier to implement
ISP-based solutions are easier to implement. Because mitigation is performed by the ISP, implementing these solutions does not require any additional networking changes. However, they also offer inferior protection and organisations committed to protecting their Internet-facing applications will care more about the protection that a solution affords. All sizes don’t fit all.
ISP DDoS solutions are cheaper
ISP-based solutions may cost less on paper, but do not fully mitigate the business risks posed by DDoS attacks. They only protect against attacks on their network and cannot protect against larger or more complex attacks, so the upfront cost of a comprehensive solution and the total financial impact of any attack may be significantly higher.
ITogether are unique in that we can provide a multi-optioned ‘clean pipe’ service.
ITogether can layer Prolexic onto your circuits (you don’t need BGP peering or a class C address range) you just need ITogether provided diverse circuits. On top of those circuits ITogether can also add Akamai FastDNS, Akamai CDN services, Akamai ETP services and of course Akamai WEP and KONA services.
0 Comments