Distributed Denial-of-Service (DDoS) attacks remain as one of the top threats to service providers around the world. The growing number of unsecured Internet of Things (IoT) devices that are often vulnerable to viruses and malware leverages the establishment of Botnets able to launch massive attacks on large service providers [1]. Although volumetric attacks are the major cause of concern for service providers, attacks at the application layer are equally dangerous [2].
To prevent or reduce damages rendered by DDoS attacks, different detection and mitigation methods are available being mainly organized in an in-site (protection hosted in-house) or off-site (mostly cloud-based). In-site approaches are mainly implemented based on physical hardware middleboxes to analyze flow records exported from edge routers, and further filtering or load balancing traffic. Alternatively, different approaches explore virtualization to take away the burden of detection and mitigation in-site, serving as a proxy able to load balance, reroute, or drop traffic in case of DDoS attacks. Examples of protection services providers that deliver virtual off-site solutions are cloud providers (e.g., CloudFlare and Akamai) and Marketplaces for Virtual Network Functions as-a-Service (VNFaaS) [3] [4].
However, the variety of attack types and their increasing proportions makes the design of defense strategy a considerable challenge [5]. For example, small e-commerce may have an infrastructure prepared to support attacks to a particular scale, but beyond this scale, additional off-site protection might be required. In this scenario, it is essential to observe not only how often attacks surpasses the in-site infrastructure capacity, but also which off-site services can provide the necessary protection considering their different service flavors, such as traffic supported, the capacity to address particularities of a determined attack, and price conditions.