The Average Anti-DDoS Appliance Can’t Stop the Average DDoS Attack

DIG-INSIGHT_DBIR-response3Distributed denial-of-service (DDoS) attacks have not only been increasing in number, but also in size and are quickly outpacing the capacity of anti-DDoS appliances.

According to Verizon’s latest Data Breach Investigations Report (DBIR), the average size of a DDoS attack is now larger than the capacity of most mid-market anti-DDoS hardware appliances. That means that organizations must find a partner to scale out to the cloud, invest in scaling up their hardware, or potentially leave themselves exposed to a debilitating attack.

The average size of a DDoS attack is 5.5 Gbps

According to the 2016 DBIR, the average scale of DDoS attacks in the past year was around 5.5 Gigabits per second (Gbps) of throughput. Packet traffic volume of the average DDoS attack was approximately 1.89 million packets per second (Mpps).

Note that these are only mean figures, and in reality there are many attacks that far exceed these in size. Industry reports have noted DDoS attack sizes that reach up to 400 Gbps or more.

The figures from the 2016 DBIR are displayed below:


The average capacity of an anti-DDoS hardware appliance is less than 5.5 Gpbs

Statistics about the size of DDoS attacks, however, don’t tell us anything unless we compare them to an organization’s defense capabilities.

There is a wide range of anti-DDoS hardware appliances in the market, built by different manufacturers. In addition, Web Application Firewall (WAF) and Next-Generation Firewall (NGFW) appliances also frequently include anti-DDoS capabilities, although they usually offer more limited DDoS protection compared to dedicated appliances.

To understand how DDoS attacks and DDoS defenses stack up, we plotted the throughput capacity (in Gbps) and list price (in USD) of 25 mid-market, dedicated anti-DDoS appliances by four leading manufacturers. These are the devices usually suitable (and marketed) to medium-to-large enterprises and data centers.

This comparison does not include carrier-grade appliances, which are not only much more expensive, but are also usually used only by large telcos and ISPs. The data is based on throughput capacity provided in technical documentation by the vendors themselves, and available price lists.

The results of this analysis are shown in the scatter plot below. Although there is a certain amount of variance in prices and capabilities, depending on maker and specific hardware configuration, it is nonetheless possible to identify general trend lines:


As the scatter plot shows, the majority of mid-market devices offer throughput capacity of 4 Gbps or less. This figure is lower than the average DDoS attack size of 5.5 Gbps. It also means that to withstand an average-sized DDoS attack, let alone a large scale one, organizations must invest in multiple, redundant hardware appliances, and constantly keep buying more hardware as attack size continues to grow.

Getting enough hardware capacity gets mighty expensive, mighty fast

As the findings above show, a mid-sized DDoS appliance with 2 Gbps of throughput costs somewhere in the neighborhood of $50,000 per device. Therefore, to withstand a median DDoS attack of 5.5 Gbps, organizations must have at least three such devices. If they want any redundancy, they must have even more. This brings the total cost to at least $200,000 just in direct appliance hardware costs.

Organizations could opt for higher-end devices with more capacity, but these come with an equally high price tag. A device with 4 Gbps, which is still not enough to withstand the average attack, will cost somewhere in the neighborhood of $100,000, whereas an appliance with 8-10 Gbps of throughput will set you back upwards of $150,000.

Support, managed services, software updates and IP reputation services usually require separate licenses, which go for thousands (sometimes tens of thousands) of dollars or more. Some devices also require a separate management appliance. Moreover, having multiple appliances frequently requires additional networking equipment such as load balancers, dedicated switches and more, all of which drive costs even higher.

Indeed, moving your website’s DDoS protection to the cloud resolves many of the challenges of maintaining your own hardware-based defense:

  • Immediate scalability: When it comes to DDoS, size matters. Moving your DDoS protection to the cloud, however, immediately increases your DDoS protection bandwidth from a single gigabit to tens of terabits per second, which are always and immediately available for your use.
  • Multiple redundancy: A hardware appliance not only provides limited capacity, but also represents a single point of failure. If it goes down, so does your entire DDoS protection. Using the globally distributed network of a cloud provider, with dozens of points of access, allows for multiple redundancy and increased resiliency in the face of attacks. Moreover, attacks are stopped at the edge of the network rather than at your origin.
  • Protection against multiple attack vectors: Although the term DDoS often gets thrown around, it actually consists of a large variety of attack methods, protocols and vulnerabilities. Keeping track of it all and having dedicated hardware and software for different types of attacks can get complicated and expensive. A cloud provider that is dedicated to DDoS protection makes it easier to protect yourself against a wide array of attacks, such as amplification attacks or application layer attacks, instead of having to chase the next vulnerability or attack method on your own.
  • Lower cost: Finally, as we’ve shown above, hardware appliances often require high capital costs for their initial purchase, as well as associated costs of depreciation, supplemental hardware (load balancers, networking equipment, power supplies, etc.), and dedicated security staff to operate them. Using DDoS protection as a service, however, allows companies to go by a pay-as-you-go model and avoid associated costs of depreciation, staff and supplemental hardware.

Verizon Digital Media Services’ DEFEND platform provides customers with comprehensive cloud-based protection against both network layer (L3 & L4) and application layer (L7) attacks, massive capacity measured in tens of terabits to protect you against even the largest volumetric attacks, and immediate global scalability to make sure you instantly have as much bandwidth as you need, when you need it, for as long as you need it.

Contact us to learn more about how our comprehensive security platform can help you boost your website defenses and improve your ROI.

Vikas Phonsa, Senior Product Manager – Security Solutions
Eyal Arazi, Product Marketing Manager – Security

Chat Now Contact Us