Table of Contents
1. Summary
With ransomware getting all the news coverage when it comes to internet threats, it’s easy to lose sight of distributed denial of service (DDoS) attacks even as they become more frequent and aggressive. In fact, the two threats have recently been combined in a DDoS ransom attack, in which a company is hit with a DDoS, and then a ransom is demanded in exchange for not launching a larger DDoS.
Clearly, a solid mechanism for thwarting such attacks is needed, and that’s exactly what a good DDoS protection product provides. It will allow users, both staff and customers, to access their applications without indicating that a DDoS attack is underway. To achieve this goal, the DDoS protection product needs to know about your applications and, most importantly, be able to absorb the massive bandwidth generated by botnet attacks.
All the DDoS protection vendors we evaluated have a cloud-service element in their products. The scale-out nature of cloud platforms is the right response to the scale-out nature of DDoS attacks using botnets, thousands of compromised computers, and/or embedded devices. A DDoS protection network that is larger, faster, and more distributed will defend better against larger DDoS attacks: 3.45 Tbps is the largest yet reported attack and was sustained for around 15 minutes.
Two public cloud platforms we review have their own DDoS protection, both providing it for applications running on their public cloud and offering only cloud-based protection. We also look at two content delivery networks (CDNs) that offer only cloud-based protection but also have an extensive network of locations for distributed protection. Many other vendors offer on-premises and cloud-based services that are integrated to provide unified protection against the various attack vectors that target the network and its application layers.
Some vendors have been protecting applications since the early days of the commercial internet. These vendors tend to have products with strong on-premises protection and integration with a web application firewall (WAF) or application delivery capabilities. These companies may not have developed their cloud-based protections as fully as the born-in-the-cloud DDoS vendors.
In the end, you need a DDoS protection platform equal to the DDoS threat that faces your business, keeping in mind that such threats are on the rise.
This GigaOm Radar report highlights key DDOS protection vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating DDoS Protection Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
To better understand the market and vendor positioning (Table 1), we assess how well solutions for DDoS protection are positioned to serve specific market segments.
- High risk: In this category, we assess solutions on their ability to meet the needs of organizations at the highest risk of DDoS attacks. Large companies in high-tech and financial services, as well as healthcare and utilities, are frequent, often continuous, targets of DDoS attacks. These organizations require always-on DDoS protection and massive mitigation bandwidth from a large DDoS protection network.
- Medium risk: Here, offerings are assessed on their ability to support organizations where DDoS attackers are less prevalent or where the attacks are smaller, possibly carried out by activists rather than financially motivated. These organizations less frequently come under attack and may choose to have on-demand cloud-based DDoS protection or entirely on-site DDoS protection.
- Low risk: Many smaller organizations do not experience frequent DDoS attacks and choose to protect only against smaller attacks. Simple configuration is important, and ideally, DDoS protection should be built into the application or network infrastructure. These organizations may choose to submit to an attack rather than spend money on more protection. In this category, we also favor DDoS protection vendors with fast under-attack onboarding for organizations that realize submitting to the attack is a poor strategy.
In addition, we recognize three deployment models for solutions in this report: on-premises only, cloud only, and hybrid cloud.
- On-premises only: A physical or virtual appliance is installed on-premises to implement all protection and remediation. All attack traffic will enter the customer’s network before it is remediated.
- Cloud only: The solution is available only as a cloud service. All DDoS protection and remediation are completed before any network traffic reaches the customer’s site.
- Hybrid cloud: A physical or virtual appliance is installed on-premises and used in conjunction with a cloud service. Some protection and remediation are completed in the cloud and some on-premises. Some attack traffic will enter the customer’s network before it is remediated.
Table 1. Vendor Positioning
Market Segment |
Deployment Model |
|||||
|---|---|---|---|---|---|---|
| High Risk | Medium Risk | Low Risk | On-Premises Only | Cloud Only | Hybrid Cloud | |
| Akamai | ||||||
| AWS | ||||||
| Cloudflare | ||||||
| F5 | ||||||
| Imperva | ||||||
| Microsoft | ||||||
| NETSCOUT | ||||||
| Neustar | ||||||
| Radware | ||||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating DDoS Protection Solutions,” Tables 2, 3, and 4 summarize how well each vendor included in this research performs in the areas we consider differentiating and critical for the sector: key criteria, evaluation metrics, and emerging technologies.
- Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating DDoS protection systems.
- Evaluation metrics provide insight into the impact of each product’s features and capabilities on the organization.
- Emerging technologies and trends indicate how well the product or vendor is positioned with regard to technologies and trends likely to become significant within the next 12 to 18 months.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
Key Criteria |
||||||
|---|---|---|---|---|---|---|
| Globally Distributed Protection Network | Integration with Content Delivery Network | Integration with Web Application Firewall | Integration with Security Information & Event Management | AI for Real-Time Response to Emergent Attack Vectors | Protected Internet Perimeter | |
| Akamai |
|
|
|
|
|
|
| AWS |
|
|
|
|
|
|
| Cloudflare |
|
|
|
|
|
|
| F5 |
|
|
|
|
|
|
| Imperva |
|
|
|
|
|
|
| Microsoft |
|
|
|
|
|
|
| NETSCOUT |
|
|
|
|
|
|
| Neustar |
|
|
|
|
|
|
| Radware |
|
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 3. Evaluation Metrics Comparison
Evaluation Metrics |
||||
|---|---|---|---|---|
| Flexibility | Scalability | Usability | Efficiency | |
| Akamai |
|
|
|
|
| AWS |
|
|
|
|
| Cloudflare |
|
|
|
|
| F5 |
|
|
|
|
| Imperva |
|
|
|
|
| Microsoft |
|
|
|
|
| NETSCOUT |
|
|
|
|
| Neustar |
|
|
|
|
| Radware |
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 4. Emerging Technologies Comparison
Emerging Technology |
||
|---|---|---|
| 5G Mobile Networks | Data Sovereignty Awareness | |
| Akamai | ||
| AWS | ||
| Cloudflare | ||
| F5 | ||
| Imperva | ||
| Microsoft | ||
| NETSCOUT | ||
| Neustar | ||
| Radware | ||
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for DDoS Protection
As you can see in the Radar chart in Figure 1, most of the mature vendors operate large networks to provide a very distributed response to DDoS attacks. These mature vendors did not build those networks just for DDoS protection and are mostly platform providers with a range of related services. These massive DDoS protection networks lend themselves to protecting the most at-risk organizations and early detection of new DDoS attack vectors. The more specialized, feature-based DDoS protection vendors started with mostly on-premises products and are extending those products by building their own cloud-based DDoS protection.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Akamai Kona Site Defender
Kona Site Defender is Akamai’s lead DDoS protection tool, combining a WAF and Layer 3 and 4 DDoS protection inside the Akamai Content Delivery Network to keep websites and APIs operational. Akamai’s CDN is made up of over 360,000 servers in 135 countries, with an aggregate bandwidth of over 33 Tbps. DDoS protection traffic is forwarded from these edge locations to six scrubbing centers worldwide, where the Kona WAF provides Layer 7 application protection. Akamai added machine learning (ML)-based protection for applications and APIs in 2021.
The Akamai CDN is probably the most widely known CDN and delivers some of the largest websites, so naturally, Akamai extended it to provide DDoS protection. The CDN accepts only valid connections on HTTP and HTTPS ports, dropping many of the Layer 3 and 4 “volumetric” (network flooding) attacks very close to their source. The CDN also caches static content, protecting performance for those parts of customers’ websites and applications. The Layer 7 WAF is not integrated into the CDN locations but operates in its six data centers, potentially adding latency to protected sites. The WAF can operate with Akamai-managed rules, which are automatically generated and immediately responsive to attacks. Otherwise, customers can manage their own rules and customize them for their own applications.
Akamai is the only vendor to note that CI/CD integration and protecting APIs are important parts of its strategy. Integrating DDoS protection into application definition and development (CI/CD) means that application protection decisions are being made by the application development team and stored in the source code repository for the application. This approach is consistent with DevOps methodologies by which the application team owns the entire application lifecycle. Akamai provides an API and a CLI for configuring Kona Site Defender, allowing customers to choose the automation tools that suit their processes. It also includes a feature to detect and protect web APIs within applications.
Akamai’s long history with large websites is evident in its integration with security information and event management (SIEM) products, with a connector-based architecture and support for tools such as Splunk, QRadar, and ArcSight. Reporting and real-time alerting are built in, along with web security analytics. Akamai can even manage DDoS protection for the customer as a managed security service.
Strengths: Akamai’s CDN is massive and widely used, making it a natural choice for DDoS protection.
Challenges: Forwarding traffic to centralized scrubbing servers increases latency for some users, potentially meaning customers have DDoS protection only when under attack.
AWS Shield Advanced
AWS Shield Advanced is the lead AWS service for DDoS protection. The Shield service runs in over 300 AWS edge locations, the data centers where the AWS global network connects to the internet. Shield inspects traffic entering the AWS network and protects AWS and its customers from Layer 3 and 4 DDoS attacks. Shield combines with AWS Web Application Firewall (WAF), which provides Layer 7 protection.
AWS Shield Standard is the base platform protection with no direct fee, and its feature set is not customer configurable or monitorable and is not suitable for business production environments. Only the Shield Advanced feature set will be covered here as it is manageable and monitorable for production use.
Shield Advanced has a fixed monthly fee of $3,000 per organization, which can cover multiple AWS accounts. There are also outbound data transfer fees for the protected services in addition to the usual data egress charges. As with all AWS services, predicting the actual cost is difficult due to the multiple pricing dimensions. AWS waives the fees for the WAF service for resources protected by Shield Advanced, which can save more than the Shield Advanced fee.
The WAF service is configured inside the customer’s account since it must decode the customer’s data to operate. AWS provides access to managed WAF rules through a marketplace where third-party security vendors offer rulesets for a fee. Customers can configure the Shield Automatic Application Layer DDoS Protection to baseline traffic and automatically create and place rules in either count or block mode to prevent large traffic anomalies from reaching their applications. Customers can also write their own rules and choose which managed and custom rules to include in the web access control list (webACL) attached to each resource. Organizations with multiple AWS accounts can use the AWS firewall manager to apply the same rules and webACLs to resources in different accounts.
A central part of AWS DDoS protection is the Shield Response Team (SRT), which runs 24/7 operations to monitor, alert and mitigate active attacks on customer resources. Customers with business or enterprise support as well as Shield Advanced can preset limited SRT access to their accounts to rapidly mitigate application-level attacks in progress by adding WAF rules.
Strengths: The AWS global network is massive and a natural fit if your website or application is already on AWS.
Challenges: Shield Advanced protects only resources hosted on the AWS global network.
Cloudflare
Cloudflare DDoS Protection is the umbrella for several features of the massive Cloudflare network. Cloudflare Magic Transit is a Layer 3 element that includes network-level protection for connecting the customer’s entire on-premises WAN to the internet. Cloudflare Spectrum protects any TCP/UDP-based application by blocking SYN flood attacks. Cloudflare DDoS Protection for Web Applications is the Layer 7 defense for websites and HTTP(S) applications. All of these products are features that can be enabled on the Cloudflare global network.
With points of presence in over 275 cities, this is a truly global network, and Cloudflare says that 95% of the internet-connected population is within 50 milliseconds of this network. With 155 Tbps of bandwidth for DDoS mitigation and connecting to over 11,000 networks, Cloudflare is huge. Beyond its scale, the Cloudflare network runs every feature on every server in every data center. It does not have to forward traffic from one data center to another for different processing. The result is that enabling always-on DDoS protection on Cloudflare does not negatively impact application performance. In fact, the CDN will probably improve overall performance. Moreover, this architecture provides fault tolerance as each point of presence (PoP) can continue to operate independently if required.
Cloudflare is a free or low-cost CDN, providing website acceleration for thousands of hobbyists and small business websites. These sites offer vast quantities of threat intelligence information to Cloudflare, which is then used to protect those sites and larger fee-paying customers. The low-cost tiers also provide Cloudflare with a great place for testing features before they are applied to the more critical commercial sites. Availability of this real-time threat intelligence results in very fast time to mitigation for both existing and new DDoS attack vectors.
Magic Transit and Magic Firewall are newer features for customers wanting comprehensive protection for all their internet traffic. Conventional cloud DDoS protection inspects inbound traffic from the internet to websites and applications. Magic Firewall allows this inspection of all internet traffic entering and leaving the client’s network. In practice, this makes Cloudflare the internet firewall for its customers, with all the scale-out advantages of the Cloudflare network and more malware and threat awareness than an on-premises firewall. A managed firewall on the internet was the original service that Cloudflare developed as part of its mission to “Help build a better internet.”
Strengths: Cloudflare has a truly massive global network and is well known for its free CDN, providing large amounts of threat intelligence. Unmetered DDoS protection is central to Cloudflare services.
Challenges: Many customers associate Cloudflare only with the free CDN and may not know the complete feature set and commercial options for DDoS protection.
F5 Silverline
F5 offers defense-in-depth DDoS protection. This starts with its Silverline DDoS cloud service that addresses the largest volumetric attacks, then moves through the on-premises F5 Big-IP in the network tier with a Silverline Threat Intelligence feed from the F5 cloud, and finally to the application tier Big-IP for a final line of protection. Each component can be deployed independently, but the best protection comes from integrating the multiple layers of defense so they can share information and optimize attack mitigation. F5’s DDoS protection is part of a wider mission to protect and improve application delivery. As applications have moved from on-premises to internet accessible, F5 developed protection for those applications both on-premises and in the cloud.
The Silverline DDoS cloud service delivers Layer 3 and 4 attack protection and integrates with the Silverline Web Application Firewall protection for Layer 7 threats. The Silverline Threat Intelligence service provides threat details to these two services, as well as to F5 firewalls and load balancers on-premises. The threat information, called Hybrid Signaling, is bidirectional. A hostile IP address that is detected on-premises can be blocked by Silverline DDoS so that it never reaches the customer network. Customers can also use Hybrid Signaling to activate on-demand protection when an attack is in progress or keep Silverline in an always-on configuration.
The Silverline service includes the F5 security operations center (SOC), which provides 24×7 escalation and support for F5 DDoS protection as well as several other F5 security features, such as fraud protection. The SOC operates both on request from customers and by proactively monitoring threat feeds for suspicious behavior. The SOC also actively notifies government agencies for enforcement (takedown) against malicious sites, such as botnet command and control networks. In addition to application-centered cloud DDoS protection, Silverline can provide a protected internet perimeter service, which safeguards all internet-connected services. The only missing element is a CDN, as Silverline does not appear to offer any caching of content. A third-party CDN could always be implemented ahead of the Silverline DDoS protection.
Strengths: A strong focus on application delivery is the core of the F5 DDoS protection strategy. Multiple types of on-premises appliances provide application-aware protection.
Challenges: New customers requiring DDoS protection may be inclined to choose a service with a CDN rather than buying two subscriptions.
Imperva DDoS Protection
Imperva’s DDoS Protection platform combines different solutions for edge security, application security, and data security. The edge security product includes CDN and DDoS protection capabilities, while the application security has WAF functionality. Imperva is transitioning from custom hardware to commodity x86 servers in its more than 50 PoPs to handle the huge network volume in Layer 3 and 4 DDoS attacks. These locations provide an aggregate 10 Tbps of throughput. Each request to the protected resource passes through a single edge-security scrubbing node rather than being forwarded from one service to another. Using self-contained nodes minimizes the latency impact of full protection and allows scaling without service-to-service bottlenecks.
The Imperva Secure CDN is integrated as part of the global network, providing caching and optimization of site delivery at the edge. Imperva is steadily growing its global network, with current mitigation bandwidth at 10 Tbps and new data centers commissioned to increase capacity. The Imperva WAF is available as a shared service called Cloud/WAF or as a virtual appliance for dedicated deployment on-premises or on a public cloud. As with other hybrid deployments, volumetric attacks are stopped in the cloud and application attacks can be stopped on-premises. Having the Layer 7 defense on-premises means that network traffic is only ever decrypted on-premises, satisfying data governance requirements that may prevent decryption in the cloud. The hybrid-cloud approach is an important part of the Imperva DDoS Anywhere strategy, allowing the Imperva DDoS engine to be deployed anywhere while the policy and reporting are always available as a cloud service.
One focus area is customer enablement, which starts with self-service onboarding for many use cases. New customers can onboard while under attack, through self-service, or with help from the Imperva operations team. For more sophisticated users, there is a configuration and reporting API as well as a three-second DDoS mitigation service-level agreement (SLA). The fast time to mitigation is crucial for pulsing DDoS attacks. Imperva has a mobile application that customers can use to receive alerts and monitor system status.
Imperva has a protected internet perimeter product called DDoS Protection for Networks, which places the Imperva DDoS protection platform between the internet and the customer’s on-premises network. Routes into the customer’s network via Imperva are advertised using BGP. After scrubbing, clean traffic is passed to the customer network over a GRE tunnel or a private data circuit. Imperva can protect individual public IP addresses and DNS servers using its network in a similar manner. Imperva has added self-service onboarding for network protection and an option for a standby configuration, through which it provides backup DDoS network protection if a customer’s primary DDoS provider is proving inadequate.
Strengths: Imperva’s large network continues to expand. The DDoS anywhere strategy will enable more complex and regulated use cases.
Challenges: Bidirectional integration with SIEM products would assist this solution for smokescreen DDoS attacks.
Microsoft Azure DDoS Protection Standard
Microsoft Azure DDoS Protection Standard is the paid service for Azure DDoS protection. There is also an unpaid service providing basic DDoS protection that applies to all Azure services. Both tiers of service provide always-on monitoring and attack detection with automated mitigation, and both protect only specific types of resources (public IPs in ARM-based VNETs) on the Azure cloud. The free service protects Azure and the other Azure tenants from a DDoS attack targeted at your website or application, preventing you from being a noisy neighbor.
Azure DDoS Protection Standard is an easy choice for any production use, as it includes production-level support, SLA guarantee, cost protection, and response, as well as visibility into in-progress attacks and mitigation. The rest of this discussion applies only to Azure DDoS Protection Standard. The basic charge of under $3,000 per month covers up to 100 public IP addresses for a single organization. Microsoft has published an account of mitigating a 3.47 Tbps attack, the largest yet reported attack and a good context for the mitigation bandwidth provided by all the DDoS protection vendors.
Azure DDoS Protection Standard is for Layer 3 and 4 attacks—the volumetric attacks that have the largest impact on the network infrastructure. DDoS attack analytics are available during an attack, with near-real-time mitigation data forwarded to Microsoft Sentinel or to another SIEM product. Metrics and alerts are available for attacks, including options to send logs to analytics tools such as Sentinel and Splunk. Azure DDoS Protection Standard is self-configuring and can be tuned by the Azure response team. The DDoS policy is not configurable by customers, nor are custom IP allow/block lists permitted. Hopefully, Microsoft will soon make customer configuration possible.
Azure Web Application Firewall provides Layer 7 protection, with application attack mitigation, such as blocking cross-site scripting attacks. There are system-managed rulesets that protect against common attacks and vulnerabilities. Azure WAF allows custom rules for mitigating application attacks, geolocation restrictions, and even the inspection of the request body for an API call. There does not seem to be direct integration between Azure DDoS Protection Standard and the Azure CDN service, although the CDN does claim DDoS protection capabilities. Customers could put in the development effort to automate configuration using Azure Functions.
Strengths: DDoS protection is fully integrated with Azure. High performance with automated remediation makes for set-and-forget configuration.
Challenges: The service is not as flexible as some clients may need and only protects Azure-based resources. As with most cloud providers, customers can choose to bring their own DDoS protection to the cloud if the managed service does not suit their needs.
NETSCOUT Arbor Edge Defense
NETSCOUT Arbor Edge Defense (AED) is an on-premises DDoS protection product that pairs with the Arbor Cloud to provide hybrid DDoS protection. This hybrid protection approach is a powerful combination. Volumetric attacks are best handled in the Arbor Cloud, where 14 data centers worldwide provide 11 Tbps of traffic-scrubbing capacity. Smaller volumetric attacks, as well as attacks that exhaust limited resources, such as TCP connections, can be effectively mitigated by the on-premises appliance.
The appliance can be used to protect services such as VPN concentrators, which are difficult to secure via cloud services, providing a protected internet perimeter on-premises. The on-premises appliance can also inspect outbound traffic from on-premises machines, preventing a compromised on-premises computer from joining a botnet or being used as a bridgehead into the corporate network. The hybrid deployment is conceptually like the protected internet perimeter that other DDoS vendors are developing; it places defense between the site perimeter firewall and the internet at large.
Arbor Networks, acquired by NETSCOUT in 2015, has its origins in service provider networking, and NETSCOUT still provides Arbor Sightline and Threat Mitigation System to service providers and large enterprises. All these deployed products send threat and attack information to the Arbor Cloud SOC, providing 24/7/365 customer support, and through the Atlas Security Engineering and Response Team (ASERT) develops mitigation strategies as new threats emerge. The Atlas Threat Intelligence Feed (AIF) then forwards these strategies to all installed NETSCOUT DDoS protection installations. The threat feed and automation of recommendations allow DDoS attacks to be mitigated closer to their origin, such as at the ISP, if that ISP uses NETSCOUT DDoS. The on-premises Arbor Edge Defense appliance receives these threat updates to respond rapidly to changing attacks and is also able to receive third-party threat information via the STIX and TAXII open standard formats.
Arbor Cloud delivers complete DDoS protection. It provides application protection and has stateless regular expression-based filtering that could be used to build WAF-like functionality. If you choose to use NETSCOUT/Arbor, you should consider supplementing it with a WAF and CDN to help protect your application servers and accelerate access. The Arbor product would provide protection for your WAF and Arbor Cloud protection for the CDN. This expectation of integrations reflects Arbor’s strength in the service provider and enterprise markets, where customers favor combining best-of-breed products.
Strengths: NETSCOUT focuses on and secures the network layer with specific application protection capabilities. Hybrid deployment allows more protection than cloud-only.
Challenges: Arbor does not have an easily configurable WAF or CDN functionality.
Neustar Security Services UltraDDoS Protect
Neustar Security Services (NSS) UltraDDoS Protect provides Layer 3 and 4 DDoS protection and integrates with UltraWAF for Layer 7 protection. Protection is available for cloud-only or hybrid-cloud deployments and is always-on or on-demand, with always-on being the currently preferred practice. The cloud components operate in 14 data centers worldwide, with an aggregate 12 Tbps capacity protecting against volumetric attacks. This network will soon expand to another data center and to 15 Tbps capacity. The Neustar Security Services data centers are linked to a private network, allowing secure transit from data center to data center. This global network can also deliver a protected internet perimeter for customers, with private links or GRE tunnels to customers’ on-premises networks.
The on-premises component of a hybrid deployment is provided either by Arbor Networks (now NETSCOUT) or with Correro appliances that integrate into the UltraDDoS Protect cloud platform. Hybrid deployment might be necessary for compliance (Layer 7 mitigation requires unencrypted data) or for better integration with on-premises resources. Protecting services such as VPNs or VDI desktops generally require on-premises protection or a protected internet perimeter approach. Both NETSCOUT and Correro offer competing hybrid cloud DDoS protection, placing a question mark over their partnerships with NSS.
While UltraDDoS Protect does not include a CDN as part of the NSS platform, the data centers are co-located with the LimeLight CDN and can also protect any external CDN, although this will increase latency due to the extra network hop. NSS has a bot-specific tool, UltraBot, to detect and mitigate attacks from known botnets and detect new botnet members. NSS is very proud of its SOC, which handles the 24/7 response and continuous improvement of DDoS protection. The SOC provides DDoS protection expertise to other DDoS vendors, safeguarding NSS’ partnerships. NSS has traditionally provided a full white-glove service but is now adding customer self-service capabilities such as onboarding.
Billing plans on NSS UltraDDoS Protect have good scaling flexibility, based on clean traffic volumes from 10 Mbps to multiple gigabits per second for always-on protection. Integration with other tools is strong, partly because the UltraDDos Protect product is assembled from leading suppliers. UltraDDoS Protect speaks directly to Arbor and Correro using their native formats and supports SIEM tools such as Splunk and IBM QRadar as well. UltraDDoS Protect also has an integration API and can send alerts and notifications via email or webhooks for real-time intelligence sharing.
NSS provides an integrated DDoS protection platform and focuses solely on DDoS protection. The platform is built from best-of-breed components, some of them courtesy of potential competitors, with NSS doing the integration and deep DDoS specialization. In the future, NSS might want to build replacements for the popular parts of the competitors’ products it uses.
Strengths: Flexible deployment, including hybrid approaches, are a strong suit. A wide range of plan bandwidths is available.
Challenges: Partnerships with competitors are difficult, particularly as other vendors acquire those partners.
Radware Hybrid DDoS Protection
Radware has been active in the DDoS protection space since on-premises appliances were the undisputed best choice, and the DefensePro appliances still deliver on-premises protection close to your application servers. Most current Radware customers will use the on-premises appliances as part of Radware’s hybrid attack mitigation solution, combining on-premises protection with cloud-based scrubbing and threat analytics.
The on-premises and cloud-based protection can be implemented separately, even allowing rapid cloud-only onboarding while under attack. Alternatively, the on-premises appliances can be deployed for the lowest application latency when no DDoS attack is underway. The cloud service automatically operates on-demand when an attack occurs. With the increase in DDoS attack frequency, many customers choose always-on cloud DDoS for constant protection, with the on-premises appliance as an additional line of defense. Radware utilizes the AWS CloudFront services for a CDN, providing a massively distributed content delivery network. Radware employs keyless behavior analytics to identify secure sockets layer (SSL)-based attacks without decrypting data, protecting both privacy and data sovereignty.
Radware’s CloudDDoS Protection Service operates from 16 scrubbing data centers worldwide, with an aggregate 10 Tbps mitigation. Radware’s behavior analytics tool scores session activity and identifies suspicious sessions with an escalating set of responses, aiming to block threat traffic with minimum impact on legitimate traffic. These analytics can run on-premises, connected to the DefensePro appliance, for low latency.
The Radware WAF is another appliance called AppWall, also available as a cloud service. AppWall can share threat intelligence with both the DefensePro DDoS protection appliance and the Cloud DDoS Protection Service. Radware also operates a 24/7 emergency response team (ERT) as a single point of contact that supports customers under DDoS attack, including customized response to targeted attacks while they are in progress. In addition, Radware operates a honeynet, which gives them more intelligence on both attack methods and botnet behaviors.
The on-premises appliances are definitely a strength for Radware. Being placed on the customer’s network and close to the application allows the appliance to learn normal application access patterns and identify anomalous traffic that is targeted at the specific application. A full suite of DDoS protection on-premises means that cloud-based scrubbing may be required only for high bandwidth volumetric attacks that would otherwise overwhelm the on-premises internet connection.
Strengths: On-premises appliances provide low-latency DDoS protection with deep application awareness.
Challenges: More integration with customers’ wider security and application infrastructure would enhance the value of Radware to customers.
6. Analyst’s Take
There are a few situations where DDoS protection product selection is easy. In these cases, it typically means investing in new products from vendors to whom you already have a commitment. Evaluate the obvious choice and decide whether it fits your requirements before putting a lot of effort into assessing every possible solution. If your applications reside on either AWS or Azure, you should probably use the DDoS solution from the same cloud platform. Be sure to read and implement the DDoS protection guidance from that provider and be mindful of any per-GB network traffic costs. If you are already heavily invested with a vendor like NETSCOUT, F5, Cloudflare, Imperva, or Akamai for other parts of your network protection and infrastructure, it is probably a good idea to use their DDoS protection.
If there is no obvious choice, consider the nature of your applications and the locations from which they will be accessed. Applications that are latency sensitive and accessed from close to your data center will work best if most protection is on-premises (with a switch to cloud-based protection when you are under attack) or in a cloud location very close to you if protection is always on. Applications that are accessed from all over the world are already designed to be latency tolerant, so a little more latency is less of an issue. In that case, a cloud-only product or one with a relatively small number of cloud scrubbing centers may work.
Also, consider how desirable your organization is as a target. Large and well-known names are more likely to be attacked for notoriety. Controversial companies such as oil exploration and mining companies are likely targets for activist hackers. Organizations with deep pockets and dependence on their computers, including financial firms and government agencies, are attractive potential targets for ransom attacks. If you are a desirable target, expect a larger-than-average number of attacks and choose a larger-than-average DDoS protection network. Finally, remember that any DDoS protection product is only part of an overall strategy, not a silver bullet for all denial-of-service hazards.
7. About Alastair Cooke
Alastair Cooke is an independent industry analyst who has been writing about the challenges and changes in the IT industry for over ten years. IT infrastructure, virtualization, end-user compute, and public cloud technologies are all focus areas. Alastair started his thirty-year career as a hands-on technical consultant for global companies such as Glaxo Welcome and VMware, as well as smaller New Zealand-based companies. In the second half of his career, Alastair has been a technical trainer and content creator, making videos and writing about enterprise IT topics. As a trainer, Alastair taught courses for VMware, HPe, Nutanix, and AWS. He is a host of Build Day Live, doing hands-on video education with enterprise IT vendors such as HPe, Dell, Pure Storage, Oracle, Supermicro, Cohesity, and NetApp.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2022 "GigaOm Radar for DDoS Protection" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.
