This blog series dives into the different DDoS protection models, in order to help customers choose the optimal protection for their particular use-case. The first parts of this series covered premise-based appliances and on-demand cloud services. This installment will cover always-on cloud DDoS protection deployments, its advantages and drawbacks, and what use-cases are best for it. The final part of this series will focus on hybrid deployments, which combine premise-based and cloud-based protections.

Always-On: Uninterrupted cloud-based protection

DDoS protection solutions using an ‘always-on’ model work by constantly routing all customer traffic through the network of the DDoS mitigation provider. Customers change their routing advertisements (usually BPG or DNS) to the network of their DDoS mitigation provider, who then routes all traffic through its scrubbing centers. Communications are then scrubbed for malicious traffic, and only clean traffic is forwarded to the customer.

The difference between the on-demand model and the always-on model is that whereas in the on-demand model traffic is diverted through the provider’s network only for limited durations, when an attack has been detected, in the always-on model traffic is diverted through the provider’s network at all times.

[You might also like: 5 Questions to Ask About DDoS Pricing]

Advantages & Drawbacks:

Using an always-on DDoS protection service provides for a number of key benefits:

  • Uninterrupted protection: One of the biggest benefits of the always-on model is the fact that you are protected at all times against DDoS attacks. Unlike the on-demand model, where diversion and protection are activated for limited times only after an attack has been detected, under the always-on model customers are always protected.
  • No protection gaps: Another advantage of the always-on model compared to the on-demand model is that there are no protection gaps during the detection and diversion stages. Most on-demand models detect attacks based on volumetric traffic thresholds. Only once the threshold has been reached will diversion be initiated. The detection and diversion steps may take up to several minutes, during which time the application is still exposed. Under the always-on model, traffic is constantly routed through the DDoS mitigation provider, and therefore this gap does not exist.
  • Low management overhead: An always-on deployment usually requires low management overhead. Once initial configuration of the service is complete, there is no need for additional overhead, as traffic is constantly routed.

However, there are also some downsides to this approach:

  • Latency: A large drawback of the always-on model is the introduction of additional latency. Since all traffic is routed through the network of the DDoS mitigation provider, this will inevitably lead to additional latency to traffic. The amount of latency will depend on the location of the provider’s scrubbing center, distance from customer host, and connectivity.
  • Cost: Since traffic is always routed through the scrubbing center on a constant basis, always-on deployments use up more bandwidth than on-demand services. As a result, always-on service tends to be noticeably more expensive than an on-demand service.


When evaluating an always-on DDoS protection service, there are a few key factors to take into consideration:

  • Latency: How tolerant is the application to latency? Using an always-on service will usually add some degree of latency to connections. The amount of latency will usually be minor, but it depends on the application and its specific use-case as to whether this level is acceptable.
  • Frequency of attack: How frequently is the application attacked? If they come under constant attack, then an always-on service will make sense. However, if the customer is only infrequently attacked (or never at all), then perhaps an on-demand service might be more cost-effective.
  • Budget: What is the allocated budget? Always-on services tend to be more expensive than comparable on-demand services.

[You might also like: Choosing the Right DDoS Solution – Part I: On-Prem Appliance]

Who Is It Best For?

Taking into consideration the relative merits and drawbacks of an always-on cloud DDoS protection service, there are a number of use cases for which this model is particularly suitable:

  • Critical applications: Mission-critical applications that cannot afford any downtime at all, even not a few minutes. The always-on aspect of the service will ensure the application is constantly protected.
  • Frequently attacked: Companies that frequently come under attack. In this case an on-demand service doesn’t make sense since it will constantly be diverting on or off.
  • Low latency sensitivity: Applications that are not sensitive to the minor added latency usually incurred by such services.

However, there are also use cases for which such a solution is less suited for:

  • Latency-sensitive applications: Real-time applications with high sensitivity to latency. In this case, an on-prem or hybrid solution will probably be more suitable.
  • Price-conscious customers: Always-on services tend to be more expensive due to the added traffic surcharges and additional overhead incurred by the service providers. Therefore, customers who have a limited budget might consider an on-demand service.

The always-on model provides effective protection for applications which require constant protection against DDoS attacks, and cannot afford any downtime at all. However, this added security comes at the cost of some added latency.

For customers and applications which need both constant protection and low latency, a hybrid solution combining both premise-based equipment and scalable cloud service is the best option. The final installment of this blog series will cover the hybrid DDoS protection model and the use-cases for which it is best suited.

Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.

Download Now