A combination of political and technological factors have made DDoS attacks more frequent and, in some cases, more damaging than they have been in the past. The number of attacks more than tripled between 2010 and 2012. All types of attacks are more prevalent: big, small, dumb, sophisticated, network layer, application layer, and combinations of all of the above. In years past, attacks of 10 Gbps were relatively rare. In the past 6 months Akamai has seen attacks in the tens of Gigabytes on a nearly weekly basis. Akamai also saw an increase in the number of application layer attacks such as SQLi and XSS, as well as attacks on resources intensive pages such as login pages or PDF files. The more powerful attacks combine methods: a network layer attack of around 10+ Gbps with a simultaneous or consecutive SQL injection or cross site scripting attack. The "combo attacks" are the attacks that are most difficult to mitigate. Information security teams might see the rise in application layer attacks and respond by increasing the number of rules that their on-premise WAF processes on incoming requests. The tightened rules have the paradoxical effect of slowing down legitimate traffic. Tightened rules also make an on- premise WAF more susceptible to failure - in other words an on-premise WAF that inspects more rules is easier to flood with malicious requests. This paradox also applies to business logic and input validation on the application server itself. Of course, regulatory environments, user authentication and application logging also increase the load on application servers. The more an InfoSec team does to prepare for attack, the more susceptible they make themselves to bogging down legitimate traffic or even total application or web server failure.
The prevalence of "combo attacks" and the danger of the DDoS paradox are what make more and more companies turn to cloud-based web security for DDoS mitigation. By definition, cloud-based DDoS mitigation platforms are inline and always on - meaning they are inspecting both application layer and network layer traffic during times of "peace" and when under attack. Akamai DDoS mitigation, for example, is architected for near infinite scale so that it in terms of performance, it can "afford" to inspect all requests. Akamai is not susceptible to the DDoS paradox because the WAF is embedded in every one of the tens of thousands of servers in the Intelligent Platform™. Customers on see performance gains once they get on the Intelligent Platform, and the rules Akamai writes to protect them are balanced among the servers on the platform. Most customers see performance gains when they choose Akamai to protect their online properties. Akamai protects against DDoS at the edge of the Intelligent Platform, in 90% of cases just one network hop away from the attacker. That means that attackers are stopped well before they get to the customer data center.