Every organization operating online services that face the public internet will, at some point in time, need to...
deal with a distributed denial-of-service attack. This is usually a targeted attack where, as part of a ransom demand or an activism campaign, a significant amount of traffic is directed to online services to take them offline.
Attacks could take many shapes and forms -- for example, a SYN flood, a Network Time Protocol attack or a domain name system amplification attack -- depending on the capability of the attacker and the online services of the target.
DDoS attacks have been around since the early days of the internet. The first recorded denial-of-service attack can be traced back to 1974. From there, the simple attack methods have evolved into the realm of sophisticated, massive botnets with enormous capacity to generate traffic, further multiplied by amplification techniques and tools. Cloud DDoS attacks are also a growing problem for enterprises.
Defensive security controls aimed at mitigating the effects of DDoS attacks have been continuously developed, and they are quite effective these days.
Let's take the example of a simple SYN flood attack. Using this method, an attacker with enough capacity can attempt to overwhelm his target with a high volume of SYN requests to consume all the target system's resources. Once the targeted resources are exhausted, legitimate traffic will be severely delayed or halted, resulting in the targeted service going offline.
An advanced firewall or a specialized DDoS protection device can recognize a high volume of SYN requests in its traffic compared to a previously established baseline of normal traffic. It can then start to drop or block bad traffic from the sources of the excessive SYN requests until normal activity resumes.
Detection and mitigation methods for cloud DDoS attacks can be complex. Some of these specialized products, such as Radware's DefensePro, even apply machine learning techniques to normal traffic and, in the case of an attack, to bad traffic. This enables the tool to detect any traffic anomalies as soon as possible, and then deploy a matching customized protection profile to the incoming traffic, reducing the likelihood of dropping legitimate traffic.
However, there is a downside to these protection systems. The traffic generated by a DDoS attack can be significant -- more than 100 Gbps is not uncommon. This means any DDoS protection device needs to have a large capacity to prevent a relatively rare event from occurring. The costs of purchasing and operating a dedicated system 24/7 for a single network are usually hard to justify.
This is where protections against cloud DDoS attacks come in. In case of an attack, all traffic is redirected by the targeted customer via Border Gateway Protocol advertisements to a cloud security provider. There, the traffic is cleaned up using the technologies mentioned above and the clean traffic is returned to the customer.
As is the case with many cloud services, the significant cost of building and maintaining protection systems to fend off cloud DDoS attacks is split between many cloud customers. Considering only a small portion of these customers are ever under a DDoS attack at the same time, this is a very cost-effective option. However, it is still not cheap. These vendors maintain large networks with many so-called scrubbing centers around the world to efficiently serve every geographic area, which is costly.
Another potential issue is that when there is no local scrubbing center, all traffic -- including a significant portion of DDoS traffic -- will need to be sent to another area, causing delays and congestion even in the case of a small attack. Sending traffic containing data subject to compliance requirements offshore could also create issues, especially for government-related organizations.
Hybrid protection: Cloud overflow
This is why many vendors that offer protection against cloud DDoS attacks also offer a hybrid model. This model isn't as popular as on premises and the full cloud models.
This hybrid approach, often called a cloud overflow option, however, brings together some of the best of both worlds. In this model, a lower capacity and fully automated on-premises system can take care of smaller cloud DDoS attacks. When the attack becomes too large or too long-lasting to handle locally, an overflow can be configured to send some or all of the bad traffic to a vendor cloud protection service.
This model has huge benefits, especially from a cost perspective. The initial hardware purchasing costs are limited considering the on-premises devices will only need to be able to handle smaller DDoS attacks. The costs for cloud protection are also limited because most DDoS attacks can be mitigated locally and will not require any overflow at all. From a security perspective, the approach covers the entire range of possible attacks. Some of the leading DDoS vendors, such as Arbor Networks, Radware, and Imperva, offer these hybrid options.
When looking for a DDoS security setup that is both cost-effective and holistic, you should certainly consider the hybrid DDoS models. Cloud overflow provides the best option for companies that have an on-premises network that relies on internet-facing services, but that is not large enough to warrant its own full-scale DDoS protection deployment.
DDoS attacks are inevitable, but because of the wide range of available security controls, their impact can usually be limited.