Skip to main content

«  View All Posts

Security | DDoS Attack | Cybercrime

A Service Provider’s Guide to DDoS Mitigation Tactics and Solutions

August 6th, 2021 | 8 min. read

A Service Provider’s Guide to DDoS Mitigation Tactics and Solutions
Jason Maki

Jason Maki

Technical Marketing Engineer at CCI Systems

Print/Save as PDF

Historically, if your company wanted to implement DDoS mitigation tactics, you were left justifying a quarter-million-dollar expenditure just to scratch the surface of network protection. 

A $250,000+ proposal for mitigation services was a nonstarter for many service providers, and most opted out of any further conversations.

Today, solution providers can put together tactics to save on cost and let service providers expand into mitigation with the growth of their network.

CCI Systems is a solution provider that understands the need for a staged approach, and why it is oftentimes the best option for providers and operators of all sizes. 

Self-selecting the right DDoS mitigation strategy to meet your company’s needs should start with the implementation of a remote triggered black hole, choosing a scrubbing service that is right for your company, and ultimately, deciding to protect your network with the best tools available.

Start with a Remote Triggered Black Hole (RTBH)

For new providers, the remote triggered black hole (RTBH) is by far the most economical solution when compared to other mitigation tools. Plus, it is the least expensive way to have DDoS mitigation applied to your network.


For companies who are exploring the benefits of proactive DDoS mitigation or starting a new greenfield ISP, RTBH serves as a good safety net. It is a piece of the puzzle all service providers should explore.

Any company doing DDoS mitigation has a threshold, including cloud providers, so this is where RTBH comes in. If an attack gets too big, there is a limit where your network folds, and the black hole is triggered to prevent everything else from being taken down. Luckily, this solution eliminates any collateral damage within your network.

If your company has scrubbing in place, the RTBH is activated at a specified level of attack volume (either manually or automatically). At this point any impacted routers will begin routing traffic going to the attacked device to null-zero, effectively taking them offline while leaving neighboring services unimpacted by the DDoS attack.

Scrubbing Services: What and Where Are You Scrubbing?

Automated scrubbing platforms are the most common type of overall network protection for service providers. Essentially, this automation monitors the types and levels of incoming traffic to ensure it does not rise to a quantity to take a network offline.

And yet, many services provider continue to initiate manually scrubbing protocols.

Manual Scrubbing vs. Automated Scrubbing

Depending on how the attack happens, where it happens, and the network on which it occurs, the service provider will not want to black hole (i.e. RTBH) all the addresses.

For instance, taking down a city can have major implications affecting schools, hospitals, waste management plants, or government facilities, so maintaining network availability is of the utmost importance.

Service providers with a moderate-to-large subscriber base should consider auto-scrubbing to avoid shutting down an entire community because of a minor DDoS attack.  

This will help to keep them operational and functional while all the little stuff is occurring on the outskirts of their network, like students who are working to prevent a test from happening or an angry gamer who DDoS’s another user because they’re a sore loser.

Think of this as day-to-day network availability protection. For the most part, this is an automated protection, but some companies who have access to the resources opt for manual mitigation tactics.

Manual mitigation allows internal technicians to go into routers and route traffic to a black hole manually. But again, some small service providers do not have the resources for such a hands-on approach to DDoS mitigation 

How Much Scrubbing Does a Network Need and At What Capacity?

Higher capacity scrubbing comes in at the government, critical services, or large enterprise level. Here, attacks tend to be much bigger with more volume and scale.

Government is targeted by people who are much more motivated, and they want to be more disruptive. Because of this, service providers for high-level targets will find it necessary to utilize a scrubbing system with more robust features and capabilities to protect the entire network. 

As a citizen and government official, you do not want a cyberattack to disrupt daily operations of the legislature at any level, military operations, public school systems, or other government facilities.

This responsibility falls on the service provider to ensure every precautionary step has been explored and taken.

Comparing Cloud-Based Scrubbing vs. On-Prem Scrubbing

The difference between a cloud and on-premises (on-prem) solution is how far the traffic has to get redirected to scrub it. If it's on-prem, you're not adding nearly as much latency compared to being in the cloud.

The upside of cloud-based scrubbing is all your company must do to add DDoS mitigation to your network is modify some routes and detection capabilities. This presents a significant ease of entry into mitigation tactics. ddos-cloud-scrubbing

Plus, when you’re in the cloud, there's no hardware. That also means there's no administration and maintenance of the physical infrastructure, so it will bring the potential cost burden down.

But there is a downside. In short, location matters.

Let’s say you’re working with an operator in South Dakota. If you want cloud-based scrubbing, the closest place to send traffic is Chicago. If the traffic is originating in North Dakota and needs to get to South Dakota, the traffic is rerouted to Chicago first if there is an attack happening to the host, which causes some level of latency.

While this is occurring, it is not only the bad traffic being redirected to Chicago; it is all the traffic going to the host.

To add to that, with Border Gateway Protocol (BGP)—an Internet routing protocol—the smallest advertisement you can put out on the public network is a /24, a Class C. That is 254 potential hosts with all their traffic being redirected to Chicago because of an attack on a single host.

So, the perceived, negative impact of cloud-based scrubbing is the traffic of the subnet being redirected.

If you’re a service provider monitoring and protecting a very distributed network, a cloud-based solution might make the most sense versus an on-prem solution because you will not need physical boxes at the different places where your platform is pulling in traffic.  

However, an on-prem solution is localized and a lot less impactful on performance than sending it up to a cloud service. You can use your routing protocols and tweak them to be more specific to get down to the host.

Some service providers view an on-prem solution as a more secure option. Up in the cloud, it’s not just the host.

What Mitigation Strategy Is Right for Your Company?

Let’s start with the 3 questions you, as a service provider, should be asking.

1. Are you focused on overall network availability, or do you have specific customer services you need to protect? 

If you’re looking for overall network availability, you might consider a staged solution. By having a staged solution, your company will not encounter a $250,000 bill for DDoS mitigation right up front.

Instead, the implementation of a platform with access to analytic tools, and the ability to utilize a remote triggered black hole will be a good start.

From a service provider’s perspective, it can be much easier to get $30,000-$50,000 into a budget than a quarter-million.

Step 1: Ensure Network Traffic Visibility

First, ensure you can see your network. Typically, this visibility and transparency are best captured through an analytics platform (i.e. chassis) able to track data coming in real-time.

Once you can see the data coming in and understand the level of attacks, your decisionmakers can make an intelligent decision based on realized data and facts, thereby eliminating stress and fear-based decisions when researching DDoS solutions.

Step 2: Remote Triggered Black Hole (RTBH)

Second, protect the network by implementing RTBH. You've already got the box or some level of cloud-based scrubbing, and now, you're watching volumetric DDoS attacks roll in.

At this point, the only cost would be hiring out support services to implement the remote triggered black hole. Support is a common ask by service providers, depending on the level of comfortability initiating the black hole.

Step 3: The Addition of Scrubbing Services

Third is the addition of optional scrubbing services. If the provider decides to start offering services to end users where they need to scrub, it’s important to have assembled a plan.

One thing to consider is the analytics and data from the monitoring software in Step 1 will tell you whether scrubbing is necessary for your network and your services.

If the data indicates scrubbing might be a good strategy to combat frequent DDoS attacks, it is common to want a unified platform. With a unified platform, you don’t have to worry about interoperability and compatibility concerns.

By having a combined solution under one hood, it can be easier for a service provider or a common user to digest.

2. Does your company prefer capital expenditure (CAPEX) or operational expenditure (OPEX)?ddos-costs-benefits

Depending on the company, a chief financial officer (CFO) might prefer to keep mitigation as an operational expenditure (OPEX) for their accounting practices. The ability to leverage a depreciable asset may be important to their business strategy.

Cloud-based scrubbing solutions are all about OPEX. When purchasing mitigation software, you’re licensing the capability, not buying a physical asset.

In this sense, an on-prem solution is more of a capital expenditure (CAPEX).

It's a higher cost upfront with a reduced recurring cost because of the purchased hardware and the license for scrubbing. Plus, you have an additional renewal cost for software and a maintenance cost for the hardware, depending on the platform.

That said, the upside to on-prem scrubbing is better performance.

Either way, DDoS mitigation is not cheap with the most affordable solution being the remote triggered black hole.

3. Will added latency be a significant factor during the mitigation?

Most of the time, companies will say latency is not a significant factor to keep their network up and running and their customers happy. However, if a service provider is protecting video services or audio services, they may say yes.

Let's say this network is hosting a gaming platform with half a million end users using the service at one time, in real-time. It would be necessary to provide an on-prem solution, no questions asked because of how the network is being used.

What Is Holding Your Company Back from DDoS Mitigation Services?

You had the conversation, discussed options and costs associated with your network, and talked about specific solutions to implement DDoS mitigation. Still, you cannot get your company on board, and typically, the hesitancy revolves around cost. 

To lessen the cost burden, this is where the staged approach comes in, and this is why consulting with an expert from a respected solution provider can save you big money.

CCI Systems knows how to customize and mitigate to the appropriate scale. Our technicians serve in the interest of small service providers who remote trigger to their upstream provider, or large providers who know exactly what objects they want to manage.

Asking the right questions to guide your company toward a mitigation strategy equipped with tactics to better serve your network is CCI’s promise.

If you’re interested in a deeper dive, take a look at DDoS mitigation and how to protect against DDoS attacks.