Due to a lack of solutions that really manage to work efficiently controlling connections in on-premise environments, the DDoS Defender was created, capable of absorbing a high number of connections during a DDoS attack, including the dreaded "syn flood" , without forwarding any of them to the application's real servers, while it continues forwarding normally the connections coming from real clients.

 

What exists today in solutions for on-premise environments:

 

• Operator-level DDoS

​

Operator solutions protect against other types of DDoS, less aggressive and little used by hackers, such as "ack flood" and "udp flood", but are not effective against the dreaded "syn flood" attack.

 

• Firewall with limit of connections

​

Some firewalls also offer protection against DDoS attacks, including "syn flood", but using questionable techniques. In general they can act in the following ways:

​

* Limit the number of connections to a certain destination/service, where connections that exceed this limit will be blocked

This technique prevents a DDoS attack in the sense of not allowing malicious requests that exceed the defined limit to reach your application, however, it also blocks the requests of your real customers, which in any case leads to the unavailability of your service. In other words, this technique can facilitate a DDoS attack, where an attacker will only need to exceed the limit of connections defined in the firewall to be able to make your application unavailable to your clients.

* Limit the number of connections for each source address independently.

This more elaborate technique makes a limitation for each address that is generating connections to your system. However, many applications, especially WEB applications, require a greater number of connections, as browsers can make several simultaneous connections to speed up page loading. It is not uncommon to see a single client make 30 or more requests within one second.

Also considering that there may be more than one client connected on a network sharing the same outgoing IP address, this number needs to be multiplied a few times to prevent legitimate access from being unduly blocked. Because of this, throttling settings typically miss a relatively high connection rate, such as 100 connections per second for each source address. Although this number may not be enough to compromise your application, in a DDoS attack coming from 1000 different sources, for example, the firewall would miss a rate of 100,000 new connections per second, which could bring your application to total downtime.

​

• Cloud DDoS Protection Service

​

DDoS attack protection solutions provided by large companies in the Cloud.
They work very well, are highly efficient but, however, have a cost that sometimes ends up making their use unfeasible or restricting their use to only a part of the environment.