As the frequency and size of distributed denial-of-service attacks continue to grow, cloud service providers could...
become bigger targets for attackers in the ongoing war for bandwidth. The business model of a cloud service provider, or CSP, includes the capacity to supply high-bandwidth internet connectivity to and from its customers' virtual instances. Access to this treasure trove directly through the CSP or indirectly through one or more of its customers could easily take malicious distributed denial-of-service, or DDoS, operations to the next level. Is this a real threat and how could an enterprise that uses cloud services help protect itself against such a threat?
In 2012, a group of cybercriminals exploited the CVE-2014-3120 Elasticsearch 1.1.x vulnerability, followed by the use of Linux DDoS Trojan Mayday and with that, they compromised several Amazon Elastic Cloud Compute virtual machines. Although this vulnerability was not unique to cloud-based systems and could have been used against any server, including non-cloud based systems, it did open up some interesting opportunities to the attackers. They were able to launch a User Datagram Protocol-based DDoS attack from the compromised cloud instances. The attackers utilized the outbound bandwidth of the cloud service provider -- Amazon, in this case -- which is far from a desirable situation for cloud service providers. If a CSP's public IP address range becomes linked to a cloud DDoS attack, the provider could find it registered on blacklists or on individual organizations' firewall blacklists. Its customers will then experience connectivity issues and possibly service downtime. Even though the likelihood of such a major provider-wide breach is low, the impact to the CSP and its customers could be quite dramatic.
The risks of a cloud DDoS attack
Cloud service providers have platform-wide DDoS protection systems in place for incoming traffic. They also monitor outgoing traffic for DDoS traffic and could even shut down hosts on their systems that are participating in an attack. For now, this leaves the CSP relatively safe from a cloud DDoS attack. However, the shutdown of VMs would not be a desirable outcome for the VM owner since it would cause an outage to their hosted system. That means it remains in the best interest of the customers to secure and monitor their own cloud-based hosts, whether that is handled internally or by a third-party security provider. Outside of the cloud space, there are additional risks involved as well, such as having the DDoS participating public IP added to one or more blacklists. This would result in the loss of email services or even web services because they are being blocked by external antimalware products.
Detecting and preventing a cloud DDoS attack
There are many security best practices that are specifically aimed at reducing the risk and impact of the often undetected participation in a cloud DDoS attack.
Any cloud customer should have a well-configured, hardened egress firewall on its perimeter, which will prevent the need for a shutdown by the cloud service provider. The egress filter would, for instance, block outgoing NTP traffic or would block any requests to an external web server once a threshold of connections per second has been reached. This firewall should be monitored as well. It is one thing to block the traffic with a firewall, but another to find the actual cause of it within the internal network.
The cause of DDoS traffic leaving the network is usually associated with malware installed on one or more systems, which links that infected system to a much larger, global botnet. Not only does this result in the DDoS-related issues mentioned before, but it usually gives the botnet owner full control of the infected systems, leading to data theft, outages and possibly even data ransom situations. Quality host-based malware detection and prevention tools are a must-have for any system.
Dedicated DDoS mitigation products or third-party DDoS protection providers could also be utilized. The customer would direct all incoming and outgoing traffic through these products, which filters out the offending DDoS-related traffic from the stream. When using a third-party provider, the outgoing bandwidth of the CSP would still be consumed if the customer is unknowingly participating in a cloud DDoS attack. In the case of the use of a dedicated cloud-based product, the incoming bandwidth of the CSP would still be consumed if the customer is a target of a DDoS attack. It is important to weigh what methods work best for the environment.
Finally, a well-placed intrusion detection or prevention system could catch suspicious or malicious traffic. This might not only detect the DDoS traffic, but it could also detect and prevent the malware and botnet command and control traffic in the first place, which is a much better situation.
Participation in a DDoS attack is bad in any case, but the associated risks seem higher if the actual systems are hosted in a public cloud environment. Not only because of the cloud DDoS attack itself, but because, in theory, customer systems can be switched off by a third party, and the high volume of outgoing traffic could result in a considerable bill. If the right security measures are taken, however, most of these risks can be controlled. When these risks are under control, the organizations can focus more on incoming DDoS attack protection, which is quite a different issue.
Learn how to prevent various types of DDoS attacks on your systems
Find out how distributed reflection DoS is different from DoS
Check out ways to protect against cloud DDoS attacks