infoTECH Feature

March 05, 2018

Proactive vs. Reactive: Which is Better for DDoS Defense?

By Special Guest
Mohammed Al-Moneer, Regional Director, MENA at A10 Networks

Distributed denial of service, or more commonly abbreviated as DDoS, is a classic form of cyber-attack in the world of enterprises. The last 18 months has ushered in the era of supercharged, colossal DDoS attacks capable of reaching 1Tbps and more. IT professionals across the world have taken notice and are ready to combat this. Whilst there are many ways to fight DDoS attacks, like scaling and bandwidth metric analysis, in my experience the best methods are proactive and reactive deployment modes.

The question now is, which is the better deployment mode? Both have pros and cons, so perhaps the best way to answer this question is to break it down and see what fits best for your business.

To figure out which of these methods is best for enterprises, we should first explain what ‘proactive’ and ‘reactive’ methods of deployment actually mean. Like the name implies, the proactive mode of DDoS defense is when your defenses are constantly looking for potential attackers. A proactive mode uses an in-line tool that has 100 percent visibility through packet analysis. It checks the credentials of every piece of traffic received and uses pre-determined information and behavioural indicators to decide what could be a bot or an attack and blocks it, while allowing regular, human traffic through.

Reactive is the opposite or proactive. With a reactive mode, you leverage the flow data that is available from the edge routers and switches, and perform meta-data analysis to try to detect anomalies.  If this packet analysis gets a hit on something dangerous, like a DDoS attack, it then reacts by inserting the mitigation device. This means the mitigation of traffic only activates once a danger has been detected, rather than all the time.

Based on those definitions, which is the best for business?

Proactive often sounds better, as it is always on and active. Proactive also has the highest resolution detection capabilities available. Some examples of where proactive is used is with real-time applications like those found with voice, video and gaming software, or when protecting critical things like DNS infrastructure.

All good things have a downside, however, and for a proactive mode it is the price. As the system is always on and requires 1:1 capabilities, it can be expensive to set-up and maintain. This is especially true when you have a bigger network.

On the flip-side, a reactive mode uses flow that is already built into the network for its analysis and mitigation is only put in-line during times of attack. This makes it more cost-effective for smaller networks that don’t leverage real-time applications to build defenses and oversubscribe your mitigation capabilities. Reactive mode, however, does have limited resolutions of flow, meaning it may take slightly longer to identify an attack. The time to react is also often slower.

Both modes have the same responsibility of surgically mitigating attack traffic and both need to be able to differentiate what is normal and what is a bot.

So, now we answer the question of which is better? Like most decisions, it comes down to your business’ specific needs. Can you pay more to have always-on defense or will your business be ok with the more affordable solution? To decide this, factors such as the size of your network, company finances and the importance of what you are trying to defend all need to be considered.

There are plenty of good solutions out there from industry leading companies which can supply both proactive and reactive modes to protect enterprises from cyber-attacks. With solutions that can scale based on the attack and leverage virtualisation and the cloud to better defend from DDoS attacks. Many businesses will be secure regardless of which deployment mode you choose. Just make sure your business has at least one of these solutions, otherwise you won’t be prepared for that eventual attack.

About the Author: Mohammed Al-Moneer is Regional Director, MENA at A10 Networks. Mohammed has held various sales leadership positions at networking and other high tech   companies. Most recently at Infoblox (News - Alert), he served as regional manager for Saudi Arabia, where he leveraged his success in leading the services business to drive operational efficiencies and innovation and achieve exceptional growth. Prior to that he worked as territory sales manager for enterprise servers, storage and networking at Hewlett-Packard (News - Alert)

Edited by Mandi Nowitz

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers