Five reasons not to use DDoS hardware for data centres

By Jag Bains, CTO of DOSarrest.

  • Monday, 28th October 2013 Posted 11 years ago in by Phil Alsop

Let’s face it, hardware can be fun. If you are anything like me, you probably grew up doing things like fiddling with RC's, dismantling your parents’ clock radio, and rebuilding a 390 V8 engine. And many of us have spent most of the past few years, or decades, doing a more sophisticated version of that – building, dismantling and fiddling with servers, routers and other hardware that can be found around a data centre. But here’s the thing. Hardware can also be a huge pain in the neck.


You probably either work in or manage a data centre, or your equipment lives in one, whether it is on your own server or someone else’s. And when it comes to distributed denial of service (DDoS) attacks, the vast majority of data centres rely on one or several hardware solutions stitched together in order to protect their own and their clients’ web properties.


DDoS attacks have become a very real and serious problem in recent years. Collectively, organisations worldwide are losing billions of dollars annually as a result of DDoS attacks, and any website is a potential target. If executed well, data centres have a unique opportunity to build brand loyalty and provide peace-of-mind to all of their customers by delivering reliable, versatile DDoS protection.


Earlier this year, Juniper Networks purchased Webscreen Systems from Accumuli, a UK-based IT security specialist. More recently, Arbor Networks has transitioned from a traffic analysing platform to a DDoS hardware platform. Both Juniper and Arbor are taking steps to further a strategy to try to deal with DDoS attacks from within a data centre by adding more hardware. While one can understand why a company that produces and sells hardware would see hardware as the best fix, there are several reasons why this is the wrong solution for most consumers, and could actually unnecessarily cost both data centres and their customers time, money and brand integrity.


Albeit, there is a broad range of DDoS hardware protection options available and given its wide adoption and availability, it seems that many feel this is the strongest solution to protect their online presence from a DDoS attack. However, after more than 15 years in the industry, I can think of five good reasons why using DDoS hardware protection in a data centre hosting environment is a flawed strategy.


REASON #1
Increased costs passed on to customers.
When a data centre decides to invest in a hardware solution to address DDoS problems, there are significant costs related to it. Initial purchasing costs, the expense of maintaining and upgrading the equipment, and staffing costs required to manage and repair it in a data centre hosting environment all need to be considered. These costs are inevitably passed on to customers, driving up prices, and whether you are the data centre manager or the end customer, this is not a good thing.


REASON #2
More points of failure.
By adding another piece of hardware, you are adding yet another point of failure. As you are aware, in all things networking and essential key to success is keeping your number of points of failure low. Studies show that firewalls, intrusion detection systems (IDS) and other similar hardware protection platforms have over a 42 percent chance of failing [Arbor Worldwide Infrastructure Security Report 2011 ]. How many customers are you willing to lose as a result of failing hardware? As a data centre customer, would you want to be on that platform when it fails?


REASON #3
One person’s problem becomes everyone’s problem.
In a data centre environment, multiple customers often share resources (whether they know it or not). Platforms like servers, switches, routers and firewalls are often provisioned with more than one client. Once a shared platform’s bandwidth or CPU capacity is breached while dealing with a DDoS attack, everyone provisioned on that platform takes an outage.


REASON #4
One size never really fits all.
A hardware solution for a data centre will need to be generic enough to fit all clients’ needs, which means it probably won’t be specific enough for a particular client’s exact requirements, or robust enough to handle more sophisticated attacks. In the moments during a DDoS attack when it is truly depended upon, it will be unlikely to deliver the results that clients need or deserve.


REASON #5
How focused are the people watching client gear?
Even with the best DDoS hardware protection out there, you might as well try to protect your websites with a toaster if there isn’t a proficient team dedicated to administering and managing the hardware. In a data centre hosting environment, the operations team has many responsibilities, of which managing DDoS hardware is a low priority one. Even if someone is paying attention and able to divert their focus to a client’s servers for a short while during a DDoS attack, it won’t be for long, and repeated DDoS attacks would likely go unmitigated, or the IP would be null-routed to save resources and minimise collateral damage. This is an inelegant solution that frustrates clients and erodes brand loyalty.


With so many vendors offering DDoS hardware protection, it might be tempting to conclude that it’s a safe option that will serve your business well. However there are cloud-based DDoS protection options which are versatile, affordable, reliable and fully managed, offering many benefits that are not possible with DDoS hardware solutions with few of the risks.