theNet by CLOUDFLARE

A new model for securing public-facing network infrastructure

Implementing defense in depth with cloud-based security

Attackers are increasingly targeting public-facing network infrastructure. In early 2024, DNS-based distributed denial-of-service (DDoS) attacks, which have been a longstanding threat to this infrastructure, had increased by 80% year over year. Ransom DDoS attacks had increased quarter over quarter for a year as well. Overall, there had been a 20% year-over-year increase in DDoS attacks as of the middle of 2024.

These attacks are putting a range of key applications and services at risk, from customer-facing mobile apps and partner portals to VPN services and email. Beyond disrupting operations, the various types of DDoS attacks can result in significant data breaches.

Traditional hardware firewalls and other on-premises applications are struggling to keep up. Those systems have critical limitations that can leave organizations vulnerable while also complicating security management.

To protect public-facing network infrastructure, organizations must move beyond these legacy systems. Companies that have adopted modern, cloud-based security strategies have been more successful in stopping attacks and keeping this vital infrastructure up and running.


The limitations of hardware-based security appliances

Organizations today have to safeguard their public-facing network infrastructure against a variety of threats. Attackers might conduct reconnaissance and port scanning in an attempt to find vulnerabilities that can be exploited in the future before a patch is developed or installed.

Many organizations also experience multiple types of DDoS attacks. Volumetric DDoS attacks, for example, deliver an overwhelming amount of traffic to process. Protocol DDoS attacks use techniques such as SYN floods to overwhelm the number of sessions. And app-layer DDoS attacks use communication with app-layer protocols to cause a denial of service.

Hardware-based solutions such as traditional firewalls cannot adequately defend against these threats. First, they have limited visibility: They cannot see all enterprise traffic.

Second, they have finite, inelastic capacity, which means that they can’t easily scale for volumetric threats. For example, in February 2023, Cloudflare detected dozens of hyper-volumetric DDoS attacks. The largest peaked at more than 71 million requests per second, which was, at the time, the largest attack on record. The attacks targeted a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. Most volumetric attacks are not this large, but traditional hardware-based solutions are unable to handle volumetric attacks that are even a fraction of this size.

To make up for firewall limitations, organizations often add “firewall helpers.” They might implement on-premises appliances to protect applications, such as a web application firewall (WAF); add scrubbing centers to filter traffic before it reaches the organization; or employ ISP filtering to absorb an attack’s traffic.

But these helpers introduce their own problems. They can degrade user experiences and add management complexity. If helpers are implemented as physical appliances, they might also suffer from the same key problem as hardware firewalls: They are unable to scale adequately to stop large attacks.


Implementing defense in depth with cloud-based security

Public-facing network infrastructure is better protected with a layered, or defense-in-depth, security strategy. One of those layers should filter incoming traffic before it reaches the enterprise network infrastructure. That filter should not be based on a static hardware appliance. It has to be able to scale dynamically so it can absorb even the largest global attacks.

Cloud-based security can provide more elastic, scalable resources to protect against these threats. Specifically, a connectivity cloud — which offers cloud-native security and networking services in a unified platform — can provide the right combination of capabilities for a modern, layered strategy.

A connectivity cloud’s global network serves as a first line of defense for public-facing network infrastructure. The network can diffuse and absorb threat traffic while giving organizations better visibility into what they are facing. Cloudflare, for example, features 321 Tbps of network capacity, which is much larger than the largest DDoS attacks ever recorded.

Cloudflare has also mitigated DDoS attacks that featured extremely high packet rates and HTTP request rates. For example, in September 2024, Cloudflare mitigated over one hundred hyper-volumetric DDoS attacks, with many exceeding 2 billion packets per second and 3 terabits per second (Tbps). The largest attack peaked at 3.8 Tbps.

A connectivity cloud can also offer additional security services, available at the edge, to build up that defense in depth. Firewalls and DDoS filtering protect against known and emerging threats, including volumetric attacks. App security services safeguard apps and APIs from DDoS attacks, exploits, supply chain attacks, bots, and fraud.

The composability of connectivity cloud services provides much-needed agility and flexibility. Organizations can add or adjust security services as necessary to defend against new threats and expand a Zero Trust strategy.


Moving forward with network and security transformations

Public-facing network infrastructure is vital for modern enterprises — but it is vulnerable to threats that appliance-based hardware solutions cannot adequately address. Adopting a connectivity cloud as the foundation for a layered, cloud-based strategy can help your organization overcome the limitations of traditional solutions. You can filter and block a full range of threats, efficiently protecting network infrastructure and supporting public-facing network requirements.

The shift from traditional appliances to cloud-based security for your public-facing network can also help you move forward with larger network and security transformations. By transitioning more networking and security to the cloud, you gain greater flexibility for connecting people, apps, and networks. And you can more easily incorporate new security capabilities to protect against evolving threats. Ultimately, these transformations can help enhance business agility and foster innovation, all while controlling IT complexity.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Dive deeper into this topic.

Learn more about how a connectivity cloud can protect public-facing network infrastructure in the Understanding the role of cloud-delivered network protection whitepaper.



Key takeaways

After reading this article you will be able to understand:

  • What are the key threats to public-facing network infrastructure

  • What are the limitations of hardware-based firewalls

  • Why cloud-based security can better protect public-facing networks



Receive a monthly recap of the most popular Internet insights!