I understand how cloudflare etc. mitigate DDOS - since the traffic comes to them first it gets scrubbed before hitting you and your transit link. I also understand RTBH BGP, no worries there.
What I do not understand is how onsite appliances do anything. Sure they can stop the traffic before your routers and load balancers and servers melt - but the traffic has already gone down your link so you've used that bandwidth already. Or am I missing something here? Or is the bandwidth usage only a secondary concern, the primary concern is connection counts grinding your LBs/servers to a halt?
The onsite DDOS mitigation is no longer concerned with bandwidth mitigation. It's there to keep the servers from melting. If some guy has launched a "nuke me, please" attack, then he doesn't need to know anything about the network other than his own IP address. He contacts the botnet via HTTPS, it then responds to that request in massive force. Because it looks like an established session, lots of gear will let it all on through. If the offsite bulk DDOS mitigator misses it, then the onsite is set to be more aggressive in traffic analysis to kill and drop that traffic before it pushes your equipment beyond its physical capabilities.
DDOS pure flooding to fill the pipe is one thing. A serious SYN attack does not fill the uplink. I've seen over a milliom SYN packets incoming to one server in a minute, it may have taken 20 Mbps but I doubt it was more. A SYN packet is 62-66 bytes according to my Wireshark.
Also, one TCP connection to a webserver that constantly asks for HTTP GET will barely increase bandwidth usage, yet penetrates the firewall (just one state) and can take down a server perfectly.
Just a few examples.
Cool cheers for that
A very good overview of all the mitigation techniques is one I found in a Huawei Anti-DDoS presentation. It goes into some common attacks and how the appliances handle them.
http://www.data.proidea.org.pl/plnog/9edycja/materialy/prezentacje/wachelkapawel.pdf