+420-602-558-144 I'm under attack Log in Sign Up

What Are Symmetric and Asymmetric DDoS Protection Schemes?

What Is Symmetric DDoS Protection

Symmetric DDoS protection, or symmetric scrubbing, is a scheme that routes both inbound and outbound traffic of the protected resource through a filtering network to effectively detect and neutralize Distributed Denial-of-Service (DDoS) attacks. By analyzing traffic in both directions, the scrubbing system gathers valuable information on network activity, allowing it to make more precise decisions when identifying and blocking malicious traffic.

In other words, the symmetric approach greatly enhances the accuracy of threat detection. Moreover, in certain cases, symmetric DDoS protection is the only option, as some types of threats can only be detected by analyzing both inbound and outbound traffic (more on that later).

What Is Asymmetric DDoS Protection

Asymmetric DDoS protection, or the asymmetric scrubbing scheme, filters only inbound traffic, routing incoming data through a scrubbing network to detect and block DDoS attacks. This approach operates on the assumption that, since DDoS attacks originate externally, it is sufficient to focus only on incoming traffic. The primary goal of using asymmetric filtering is often cost-saving, as the owner of the protected resource only needs to pay for filtering inbound traffic.

However, because asymmetric protection doesn’t monitor outbound traffic, its visibility is limited. Detecting certain types of DDoS attacks requires analyzing both inbound and outbound traffic, so asymmetric scrubbing schemes may allow some threats to fly under the radar. While asymmetric DDoS protection can be a practical choice in specific cases, this narrower focus significantly reduces its overall effectiveness.

Limitations of Asymmetric DDoS Protection

Now let’s discuss in more detail the limitations of asymmetric DDoS protection and why it may fall short in addressing certain types of threats. First of all, the asymmetric approach simply doesnt work for application layer (L7) DDoS protection, making it unsuitable for defending web resources.

The reason is that any cloud protection against L7 attacks operates through a proxy server. This means that a client’s request reaches the proxy, is processed, and then forwarded to the protected resource. Consequently, the response to the client must also come from the proxy server, making it impossible to route outgoing traffic in a way that bypasses the protection.

Another serious limitation is that asymmetric protection doesn’t always work for network layer (L3) DDoS attacks either. In particular, asymmetric filtering struggles with SYN-ACK reflection attacks, which exploit the TCP connection handshake. During such attack, perpetrators send SYN messages to numerous random servers, spoofing the victim’s address. These servers then respond with a flood of SYN-ACK messages directed at the victim, overwhelming its resources.

When the targeted resource is under symmetric protection, it’s possible to distinguish legitimate SYN-ACK responses from malicious ones. Because both inbound and outbound traffic are visible to the defense system, genuine SYN-ACKs can be identified as replies to SYN messages previously sent by the protected resource (a method known as SYN cookies facilitates this). With asymmetric protection, however, it’s impossible to make this distinction, as outbound traffic bypasses the scrubbing network.

Due to such limitations, asymmetric filtering should be considered only a partial DDoS protection measure rather than a comprehensive one.

When Asymmetric Protection Is Sufficient

Despite its limitations, asymmetric protection can be a reasonable choice in certain circumstances. One such case is when the traffic on the protected resource is highly asymmetric — that is, when the volume of outgoing traffic far exceeds the volume of incoming traffic.

A typical example would be video streaming services, where each small client request triggers a response of megabytes or even gigabytes of data. Routing this entire volume of traffic through a scrubbing network would result in extremely high costs.

Therefore, in such cases, the principle of “some protection is better than none” is applied, making asymmetric filtering the preferred choice. The relatively small volume of incoming traffic passes through protection, while the large volume of outgoing traffic is delivered directly to clients.

Another advantage of the asymmetric approach that can sometimes justify limited protection is that it allows for outbound traffic engineering. This enables the protected resource to use multiple internet providers and, in each case, select the provider that will deliver content to users as quickly and efficiently as possible. However, we suggest that in this case the pros and cons of the asymmetric approach be carefully considered.

Why Symmetric Filtering Is Essential for Comprehensive DDoS Protection

Let’s sum it up. Asymmetric filtering, in which only inbound traffic passes through the scrubbing network, has significant visibility gaps. While cost-effective, it lacks the comprehensive threat coverage needed for robust protection. Moreover, the asymmetric approach simply doesn’t work for L7 DDoS protection. This makes it a partial measure suited to specific cases, such as video streaming, where outgoing traffic is significantly higher than incoming traffic.

Symmetric DDoS protection monitors both inbound and outbound traffic, providing full visibility into network activity. This comprehensive approach enables it to detect and mitigate a wider range of threats, including application layer (L7) DDoS attacks. By analyzing traffic in both directions, symmetric filtering can distinguish legitimate traffic from malicious activity with greater accuracy, ensuring robust and adaptable DDoS protection.

Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.
Cookies Preference Center
Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.