Always-on DDoS Mitigation vs. On-demand DDoS Mitigation

Promotions | Web Security

In a previous article, we have explained what DDoS attacks are. In this article, we are going to introduce two main types of DDoS mitigation services – On-demand and Always-on DDoS mitigation. The term ‘DDoS mitigation’ refers to the process of successfully protecting a targeted server or network from a DDoS attack. In an Always-on deployment, all customer traffic is routed to the scrubbing centers of their DDoS mitigation provider at all time. Malicious traffic will be scrubbed and only the clean traffic will be forwarded to the customer. In an On-demand deployment, traffic flows directly to the host during normal time. When an attack occurs, traffic will be switched over to the DDoS mitigation provider, which scrubs the attack traffic and passes only clean traffic to your server.  


Benefits of Always-on DDoS mitigation


  • Uninterrupted protection: You are protected at all times against DDoS attacks. 
  • Zero downtime: Your traffic is constantly routed through the DDoS mitigation provider, and therefore no protection gaps exist.

Downsides of Always-on DDoS mitigation


  • Additional latency: Since all traffic is routed through the network of the DDoS mitigation provider, this will inevitably lead to additional latency to traffic. The amount of latency will depend on the location of the provider’s scrubbing center, distance from customer host, and connectivity. 
  • Higher cost: Always-on deployments use up more bandwidth, and thus more expensive

Benefits of On-demand DDoS mitigation


  • No latency during normal time: traffic flows to your host directly when you are not under attack, without causing additional latency.

  • Lower cost: it is usually cheaper than always-on DDoS mitigation.

  • Simple maintenance:  no management is required during normal times.

Downsides of On-demand DDoS mitigation


  • Target may be exposed: On-demand services do not provide protection all the time. They detect DDoS attacks based on volumetric traffic thresholds. Only once the threshold has been reached will protection be activated. The detection and diversion steps may take up to several minutes. During this time the server is still exposed.

  • Potential outages from the start of a DDoS attack up to the attack is mitigated.

Factors to consider which type of DDoS mitigation you should adopt

  • Latency: no additional latency will be incurred in normal time using an on-demand DDoS mitigation. If the application is very sensitive to latency, always-on DDoS mitigation may not be suitable for you, and you should go for an on-demand service.

  • Frequency of attack: If you are only infrequently attacked (or not at all), then an on-demand service might be a cost-effective solution to protect you. However, if your server constantly comes under attack, causing traffic being constantly diverted, an always-on service will probably be more suitable.

  • Mission-critical applications: On-demand services usually take a few minutes for the detection and diversion steps, which may result in short downtime. If you can’t afford your mission-critical applications to have any downtime at all, you should opt to always-on DDoS mitigation.

Dataplugs always-on DDoS mitigation service provides uninterrupted protection for your dedicated server against layer 3 and layer 4 DDoS attacks around the clock. You can upgrade to 10Gbps / 25Gbps / 50Gbps or even higher protection based on your needs. Feel free to contact us by phone +852 3959 1888 or email if you want to learn more about our services.