How does hybrid distributed denial-of-service protection differ from traditional DDoS protection in terms of security?...
My organization is wary of adopting a complete cloud or traditional DDoS prevention strategy and thinks a combination of the two may be better.
The history of information security is a repeating pattern of emerging malicious threats leading to the creation of countermeasures, which in turn triggers a response by attackers to create new techniques that avoid or circumvent the latest countermeasure. The history of denial of service follows this pattern with the latest cycle, leaving many organizations vulnerable to sophisticated distributed denial-of-service (DDoS) attacks.
The latest incarnation of DDoS attacks are easy to deploy and use a simple strategy: generate such a large volume of malicious traffic that target devices are overwhelmed. Some attacks take advantage of vulnerabilities in commonly used Internet services, such as the Network Time Protocol (NTP). Attackers can send malicious messages to an NTP server and force it to send large volumes of data (e.g., hundreds of records describing servers that have contacted the NTP server) to a target device.
In addition to these volumetric attacks, some attackers are turning to application-level attacks that overwhelm an application without necessarily saturating network capacity.
The take away from long- and short-term history is that the precise mechanisms of DDoS attacks are constantly changing and therefore difficult to keep up with. This situation lends itself to specialized cloud services provided by vendors that specialize in DDoS, cloud DDoS and hybrid DDoS attacks by monitoring the state of attack methods and can detect volumetric attacks.
Application attacks, however, are more specific. In terms of the OSI network model, monitoring lower levels of the OSI stack is useful for detecting and mitigating volumetric attacks, but are less effective at countering application-level attacks. On-premises technologies with application-specific evaluation criteria are a better option for application-level attacks.
Security and business decision makers are in a difficult position. Volumetric attacks can quickly overwhelm network resources, so automated, cloud-based responses may be the best option. Applications can also be overwhelmed, but application owners may be rightly concerned about automatically shifting and filtering traffic to line-of-business, mission-critical applications.
A combination of the two approaches -- a hybrid DDoS strategy -- allows organizations to take advantage of the strengths of each approach while countering the weaknesses of each. Even with hybrid DDoS countermeasures, there are challenges to countering traditional and cloud DDoS attacks; there is a risk of incorrectly identifying legitimate traffic as malicious and disrupting business operations.
History has demonstrated that the types of attacks we can expect will change over time -- as will the countermeasures we have to deploy.
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)
Learn the difference between traditional and cloud pen testing
Dig Deeper on Cloud Network Security Trends and Tactics
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading