nobeastsofierce - Fotolia


Stopping distributed denial-of-service attacks in the cloud

Distributed denial-of-service attacks are a top threat to cloud security. And while they're impossible to prevent completely, there are steps enterprises can take to increase safety.

Enterprises moving to the cloud need to build the safest and most secure architecture possible. According to the Cloud Security Alliance's (CSA) report, The Notorious Nine: Cloud Computing Top Threats in 2013, one of the most common attacks against enterprise cloud deployments is distributed denial-of-service attacks (DDoS). In a recent blog post, Amazon discussed how customers can use security groups and access controls in their Amazon Web Services (AWS) Virtual Private Cloud (VPC) to reduce attack surfaces, as well as design a cloud architecture that's protected from DDoS attacks. Is the concept of a DDoS-resistant cloud realistic? This tip explores key concepts and technologies that infrastructure and security teams can implement to help reduce the risk of DDoS attacks in their cloud environments today.

Reduce public exposure

It's important to understand that there is no possible way to completely eliminate the threat of distributed denial-of-service attacks. To effectively combat DDoS attacks and maintain cloud service availability, there are several core concepts that apply. First, enterprises need to reduce the overall footprint of their publicly exposed environment. For AWS environments, this is usually accomplished by setting up security groups and private networks within a VPC. Amazon has a good overview of how to do this to minimize public asset exposure in a blog post. In Microsoft Azure, this same approach can be accomplished with the creation of virtual machine endpoints -- for traffic direction to specific virtual machines and their associated services -- or Network Security Groups.

Prepare for scaling and redundancy

Resiliency and scalability should be prepared ahead of time to ensure that resources are available for scaling and redundancy as needed during distributed denial-of-service attacks, especially in various geographic zones. Any virtual machine instances running in the cloud need to have guaranteed network resources available.

Amazon offers enhanced networking with certain instance sizes, allowing more packets per second to and from these systems for improved performance. Amazon offers its Elastic Load Balancing (ELB) service, which acts as a front end for all running instances, and also distributes traffic to systems based on your load-balancing requirements.

Microsoft offers both domain name system (DNS) and network load balancing for all Azure instances, and Rackspace offers dedicated cloud load balancers for controlling traffic flow, as well. Setting up automated triggers for starting new services and scaling up in the cloud is another common way to provide resource resiliency. In a white paper on mitigating DDoS attacks, Amazon suggested using its Auto Scaling capability, setting up triggers on specific instance metrics -- such as CPU utilization (CPUUtilization), network traffic (NetworkIn) and service status checks (StatusCheckFailed) -- to automate traffic scaling and load balancing for instances where possible.  

Take advantage of content delivery networks

Leverage content delivery networks (CDNs), such as AWS CloudFront, Azure Content Delivery Network or third-party services -- such as those from Akamai Technologies or CloudFlare -- to proxy traffic and perform "packet scrubbing" activities that can help detect and mitigate DDoS attacks before they have a significant effect on cloud resources. These CDNs spread traffic out through a mesh of network points that can cache and distribute content, as needed.

More from Dave Shackleford:

Take a closer look at the security features of Microsoft Azure

Find out why the security industry is in dire need of a standardized framework for CASBs

Discover why financial organizations need a stronger cloud security strategy

Most CDNs can also restrict traffic to and from certain countries or points of origin. And Amazon CloudFront can also implement Origin Access Identity, which restricts access to Simple Storage Service to a specific user proxied through CloudFront instead of allowing direct access -- which can be targeted by distributed denial-of-service attacks. A number of other intermediary services or platforms that can help with DDoS attacks include Web application firewall appliances and services from companies such as Imperva, Qualys and Barracuda.

Distributed denial-of-service attack defense: Other measures

Along with the key concepts listed above, there are other approaches enterprises can take to protect their infrastructure. Amazon recommends using DNS controls like its Route 53 service to help control DDoS attempts. Route 53 capabilities, such as shuffle sharding or distributing DNS requests, anycast routing, alias record sets -- separate DNS records that can be changed quickly on the fly to point to CloudFront or ELB nodes -- and private DNS (internal-only) entries, can help provide more flexibility and control over traffic resolution before and during distributed denial-of-service attacks.

In addition to all these capabilities, cloud providers recommend that enterprises carefully track and monitor cloud usage patterns to develop sound baselines of normal behavior, allowing them to develop proactive measures and controls to respond effectively if a DDoS attack occurs.

Next Steps

Learn how to reduce the chances of DDoS attacks

Find out how to stop DDoS attacks that use spoofing

Check out the best services to prevent DDoS attacks

Dig Deeper on Cloud Network Security Trends and Tactics