5 Reasons Not To Use DDoS Hardware For Data Centres

DDoS Hardware

Hardware can be fun. If you are anything like me, you probably grew up doing things like fiddling with RCs, dismantling your parents’ clock radio, and rebuilding a 390 V8 engine. And many of us have spent most of the past few years, or decades, doing a more sophisticated version of that – building, dismantling and fiddling with servers, routers and other hardware that can be found around a data centre.

But here’s the thing. Hardware can also be a huge pain in the neck.

You probably either work in or manage a data centre, or your equipment lives in one, whether it is on your own server or someone else’s. And when it comes to distributed denial of service (DDoS) attacks, the vast majority of data centres rely on one or several hardware solutions stitched together in order to protect their own and their clients’ web properties.

DDoS attacks have become a very real and serious problem in recent years. Collectively, organisations worldwide are losing billions of dollars annually as a result of DDoS attacks, and any website is a potential target.

If executed well, data centres have a unique opportunity to build brand loyalty and provide peace-of-mind to all of their customers by delivering reliable, versatile DDoS protection.

Earlier this year, Juniper Networks purchased Webscreen Systems from Accumuli, a UK-based IT security specialist. More recently, Arbor Networks has transitioned from a traffic analysing platform to a DDoS hardware platform.

Both Juniper and Arbor are taking steps to further a strategy to try to deal with DDoS attacks from within a data centre by adding more hardware. While one can understand why a company that produces and sells hardware would see hardware as the best fix, there are several reasons why this is the wrong solution for most consumers, and could actually unnecessarily cost both data centres and their customers time, money and brand integrity.

Albeit, there is a broad range of DDoS hardware protection options available and given its wide adoption and availability, it seems that many feel this is the strongest solution to protect their online presence from a DDoS attack. However, after more than 15 years in the industry, I can think of five good reasons why using DDoS hardware protection in a data centre hosting environment is a flawed strategy.

1. Increased Costs Passed On To Customers

When a data centre decides to invest in a hardware solution to address DDoS problems, there are significant costs related to it. Initial purchasing costs, the expense of maintaining and upgrading the equipment, and staffing costs required to manage and repair it in a data centre hosting environment all need to be considered. These costs are inevitably passed on to customers, driving up prices, and whether you are the data centre manager or the end customer, this is not a good thing.

2. More Points Of Failure

By adding another piece of hardware, you are adding yet another point of failure. As you are aware, in all things networking and essential key to success is keeping your number of points of failure low. Studies show that firewalls, intrusion detection systems (IDS) and other similar hardware protection platforms have over a 42 percent chance of failing [Arbor Worldwide Infrastructure Security Report 2011 ]. How many customers are you willing to lose as a result of failing hardware? As a data centre customer, would you want to be on that platform when it fails?

3. One Person’s Problem Becomes Everyone’s Problem

In a data centre environment, multiple customers often share resources (whether they know it or not). Platforms like servers, switches, routers and firewalls are often provisioned with more than one client. Once a shared platform’s bandwidth or CPU capacity is breached while dealing with a DDoS attack, everyone provisioned on that platform takes an outage.

4. One Size Never Really Fits All

A hardware solution for a data centre will need to be generic enough to fit all clients’ needs, which means it probably won’t be specific enough for a particular client’s exact requirements, or robust enough to handle more sophisticated attacks. In the moments during a DDoS attack when it is truly depended upon, it will be unlikely to deliver the results that clients need or deserve.

5. How Focused Are The People Watching Client Gear?

Even with the best DDoS hardware protection out there, you might as well try to protect your websites with a toaster if there isn’t a proficient team dedicated to administering and managing the hardware. In a data centre hosting environment, the operations team has many responsibilities, of which managing DDoS hardware is a low priority one. Even if someone is paying attention and able to divert their focus to a client’s servers for a short while during a DDoS attack, it won’t be for long, and repeated DDoS attacks would likely go unmitigated, or the IP would be null-routed to save resources and minimise collateral damage. This is an inelegant solution that frustrates clients and erodes brand loyalty.

With so many vendors offering DDoS hardware protection, it might be tempting to conclude that it’s a safe option that will serve your business well. However there are cloud-based DDoS protection options which are versatile, affordable, reliable and fully managed, offering many benefits that are not possible with DDoS hardware solutions with few of the risks.

Jag Bains

A 15-year veteran in the service provider arena, Jag Bains, Chief Technology Officer, DOSarrest Internet Security, has extensive network design experience as well as working with enterprise customers that require a wide range of Internet products and services. Jag's most noted accomplishment was as the Director of Network Engineering and Operations for PEER1 Hosting where he oversaw the design, evolution and growth of the entire PEER1 backbone and data centre networks. In building out the PEER1 backbone over the last 11 years, Jag was able to observe a large number of DDoS attacks against their customer base, and came to appreciate the singular focus needed to combat the evolving nature of these attacks. Jag holds a Bachelor of Science degree in Information Science from the University of Victoria, in British Columbia.

  • 1. Increased Costs Passed On To Customers

    This is why most data centers — let me re-phrase that, most data centers in the United States have two network “sides.” One side is normal, and the other side is heavily protected and filtered. This allows the DC to operate with less increased cost per customer if the customer is not a target or possible target of attacks. This is true in many enterprise and budget data centers alike.

    2. More Points Of Failure

    The biggest point of failure is the cheapest, most unreliable equipment on your network. Since data centers aren’t cheap to build and operate, the biggest point of failure is usually the client’s machine and not any part of the network infrastructure (such as routers, switches, cables, monitoring, or firewalls). The automated systems may fail, yes, and they are replaced/upgraded quickly. See #5.

    3. One Person’s Problem Becomes Everyone’s Problem & 4. One Size Never Really Fits All

    Clients that worry about the infrastructure burden often ship their machines with side-by-side equipment for their rack and receive special filtering and QoS to ensure that the script kiddies in the box next to them aren’t running down the system. Because a normal home or office typically doesn’t include great carrier access, fire surpression, cooling systems, and so forth, there’s no real way around sharing a little bit with someone you don’t know. Even on a “dedicated” line, there is some sharing when you reach the main equipment even though your bandwidth is all yours.

    5. How Focused Are The People Watching Client Gear?

    For data centers that provide non-software-based DDoS protection, they are very focused. Equipment like Cisco Guards aren’t cheap — they certainly pay attention to a pile of money sitting in a rack that protects their company and the people that rely on them for services. Not everyone is running an AOL NOC. Sending all your attacks to the cloud is sometimes just as useless as null routing.