Protecting Cloud Infrastructure Against DDoS - The First Global Cybersecurity Observatory

Protecting Cloud Infrastructure Against DDoS

Author: Tzury Bar Yochay, Co-founder at Reblaze

Protecting Cloud Infrastructure Against DDoS - DDoS (Distributed Denial of Service) attacks can be very dramatic. They often involve an incoming avalanche of traffic, meant to overwhelm your infrastructure and make it unavailable to your users and customers.

Traditional on-prem infrastructure can be quite vulnerable to large-scale DDoS. Although a WAF or other appliance can prevent the attack from reaching the backend, it’s possible for the traffic to saturate the incoming Internet pipe (and degrade the availability and performance of the network) before it reaches the appliance.

In many ways, cloud infrastructures are more resistant to DDoS. Cloud platforms offer abundant bandwidth, automatic load balancing, and resource autoscaling. Plus, each of the top three providers (AWS, Azure, and GCP) provide native DDoS mitigation tools, fully integrated with their platforms.

Nevertheless, when it comes to DDoS, cloud architectures still have some inherent weaknesses. In this article, we’ll discuss these weaknesses, and how to mitigate them and harden a cloud environment against DDoS attacks.

Types of DDoS

A DDoS is, by definition, a distributed attack; threat actors use geographically dispersed clients to send the malicious traffic. By sending requests to a specific system from a variety of sources, the attack is more effective and harder to block.

The targeted organization can find it difficult to distinguish between hostile traffic sources and legitimate users, especially in sophisticated assaults where the attack machines simulate typical client behavior.

There are different types of DDoS, with the broadest distinction being volumetric versus non-volumetric. In volumetric DDoS, the attackers try to overload the target with a massive volume of traffic (up to multiple Tbps). Conversely, non-volumetric attacks try to exhaust the target’s resources with a much smaller amount of requests.

This difference is key when understanding the challenges of securing cloud environments against DDoS. Volumetric attacks tend to be more straightforward to defend against, while lower-volume attacks can be more difficult. To understand why, let’s briefly discuss the DDoS products offered by the top-tier cloud platforms.

Native DDoS Tools

Each of the Big 3 public cloud providers (AWS, Azure, and GCP) has one or more built-in products to help mitigate DDoS attacks.

AWS offers AWS Shield, which comes in Standard and Advanced versions. Shield Standard is free, and is built into services such as AWS CloudFront and Route 53. The Advanced version includes some additional features, better visibility, and larger capacity; however, it requires an annual commitment, a monthly fee of several thousand dollars, and outgoing data transfer fees

Microsoft Azure offers Azure DDoS Protection, available in Basic and Standard versions. Basic is free, and automatically protects against common network attacks. Standard costs several thousand dollars per month, and offers better visibility, reports, alerts, and customizations, among other benefits.

Google Cloud Platform includes Cloud Armor, which offers a Standard tier and Plus tier. Both provide volumetric protocol-based DDoS protection. Neither tier is free; Standard is a pay-as-you-go model, while Plus requires a one-year commitment to a monthly fee of several thousand dollars.

Innovators

Native Tools: Strengths and Weaknesses

Although these various DDoS mitigation tools have some differences, they share some important strengths.

First, they are straightforward to deploy and use. As native services, all of these products are fully integrated into their platforms. Also, as noted above, some of them are free, which is obviously very attractive.

Having said that, there’s a reason that all three providers offer paid services. The free and low-cost products are inadequate for most enterprise applications.

So then, what about the paid services—do they provide adequate protection? For most organizations, the answer is no. Here’s why.

First, these products are rule-based. Out of the box, they contain some predefined rules, which protect against basic forms of attack. However, for other attacks, the user is expected to manually create comprehensive security rulesets and policies. This requires a regular commitment of staff time, and often a level of expertise, that many organizations might not have available.

Note too that cloud providers are not in the web security business; they are not trying to make the best WAF, or create the most advanced bot detection engine, or push forward the state-of-the-art in API protection or DDoS mitigation. Instead, they are trying to gain more customers and create more infrastructure usage. So their native security tools are not the most sophisticated products available, nor are they meant to be.

As a result, these services can do well when defending against basic volumetric DDoS. However, they don’t necessarily perform as well against more advanced attacks.

Advanced DDoS Attacks

Volumetric DDoS attacks tend to occur on OSI Layers 3 and 4 (e.g., TCP Syn Floods), although some are waged on Layer 7 (such as HTTP Floods). These attacks are generally not difficult to identify, and the native products can usually block them effectively.

Non-volumetric attacks tend to be on Layer 7 (the application layer). These can be much more difficult to identify, and therefore, to block. These attacks avoid creating an obviously anomalous influx of traffic—instead, they exhaust the target’s resources with requests that take advantage of how the targeted system works.

For example, multiple traffic sources might connect to the server, and keep the connections open for long periods of time; eventually, this will consume all the available connections, which will deny system access to legitimate users. Or the requests might be designed to trigger activities (e.g., database lookups) which consume large amounts of backend resources.

An Evolving Threat Environment

Threat actors are innovative, and they are always developing new attack techniques. A recent example has been called the “yo-yo attack,” because the amount of incoming attack traffic goes up and down repeatedly. Its goal is not to completely exhaust the target’s resources (although that might happen), but rather to inflict financial damage on the targeted organization.

A yo-yo attack begins with a massive DDoS; in order to absorb it, the targeted system immediately scales upward and deploys additional resources. The attacker then halts the DDoS traffic. After a short delay, the target scales down its resources to normal levels again; at that point, the attacker resumes the DDoS again. This cycle repeats indefinitely, for as long as the attacker desires.

A yo-yo attack is based on an asymmetrical cost structure. The attacker minimizes his expenses, and only sends short bursts of DDoS traffic. Meanwhile, the target organization usually pays for cloud resources based on their deployment, and the yo-yo forces resources to scale up more often, for longer periods of time, and to higher levels than are actually needed. Thus, the organization will pay its cloud service providers much higher fees for resource usage, while receiving no additional business value.

The yo-yo is only one example of recent innovations in DDoS. As organizations become more dependent on the web, and other trends (such as the rising adoption of cryptocurrencies) continue, DDoS extortion is becoming easier and potentially more lucrative. Threat actors have strong incentives to develop more effective attacks, and indeed, they are doing so.

Innovators

Defending Cloud Environments Against DDoS

Protecting Cloud Infrastructure Against DDoS - The examples above illustrate an important fact; although many DDoS attacks are simple and easy to block, many more are not.

So how can you protect your web applications and cloud workloads against DDoS? Start by taking full advantage of your provider’s free DDoS protection service (if it offers one), enabling it wherever applicable throughout your environment. Although the free services do not offer full protection, they are easy to use, and they will still defend against a significant amount of potential DDoS incidents.

Robust DDoS protection will not be free, which creates the need for a cost-benefit analysis. It is possible to spend more than you actually need. Thus, it is important to evaluate the cost and risk of suffering a DDoS attack against your organization, in terms of potential financial damage and lost revenue.

This analysis should consider the importance of workloads (Often, some applications will be critical, while others might not be). Past experience can also be helpful, and should be considered (In some industries, DDoS attacks are rampant, while others are quieter). Lastly, timing can also be important when evaluating potential risk (For example, an ecommerce store can be devastated by a large DDoS during holiday shopping season).

These factors should help you decide how much DDoS protection is worth to your organization. Once this is known, you can then compare the various solutions that are available to meet your needs.

A common mistake is to immediately adopt the upper-tier product from your cloud provider, without considering any alternatives. As noted above, even though the native products are very convenient, they are not necessarily the best choice.

Many third-party security solutions offer DDoS protection that is at least as good—and often, is better—than that offered by the native services. Also, many of these vendors are technology partners with the major cloud providers, so their solutions are fully integrated with these platforms. And their prices can be quite competitive with the native tools—even lower, in some cases.

When you carefully consider all your options, you will usually find that robust protection is available at a price that makes sense for your use case.

Summary

Protecting Cloud Infrastructure Against DDoS - When it comes to DDoS mitigation, it is tempting to assume that all services provide roughly the same protection for the same cost, and thus you should choose the most convenient option (the native services offered by the cloud providers). However, if you resist this temptation, and carefully compare the various options, your organization could enjoy better protection, and provide a better and more reliable experience for your customers, at a lower price.