Dave Larson, Chief Technology Officer and Vice President, Product at Corero Network Security
With no shortage of distributed denial-of-service (DDoS) attacks overwhelming the news headlines, many businesses have been fast to question whether they are well protected by their current DDoS mitigation strategy and are turning to their cloud and hosting providers for answers.
Unfortunately, the sheer size and scale of hosting or data center operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack. As enterprises increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating cyber threats – even as an indirect target.
The indirect target: secondhand DDoS
The multi-tenant nature of cloud-based data centers can be less than forgiving for unsuspecting tenants. A DDoS attack, volumetric in nature against one tenant, can lead to disastrous repercussions for others; a domino effect of latency issues, service degradation and potentially damaging and long-lasting service outages.
The excessive amount of malicious traffic bombarding a single tenant during a volumetric DDoS attack can have adverse effects on other tenants, as well as the overall data center operation. In fact, it is becoming more common that attacks on a single tenant or service can completely choke up the shared infrastructure and bandwidth resources, resulting in the entire data center being taken offline or severely slowed – AKA, secondhand DDoS.
A crude defense against DDoS attacks
Black-holing or black-hole routing is a common, crude defense against DDoS attacks, which is intended to mitigate secondhand DDoS. With this approach, the cloud or hosting provider blocks all packets destined for a domain by advertising a null route for the IP address(es) under attack.
There are a number of problems with utilizing this approach for defending against DDoS attacks: Most notably is the situation where multiple tenants share a public IP address range. In this case, all customers associated with the address range under attack will lose all service, regardless of whether they were a specific target of the attack. In effect, the data center operator has finished the attacker’s job by completely DoS’ing their own customers.
Furthermore, injection of null routes is a manual process, which requires human analysts, workflow processes and approvals; increasing the time to respond to the attack, leaving all tenants of the shared data center suffering the consequences for extended periods of time, potentially hours.
DDoS attacks becoming increasingly painful
The growing dependence on the Internet makes the impact of successful DDoS attacks – financial and otherwise – increasingly painful for service providers, enterprises, and government agencies. And newer, more powerful DDoS tools promise to unleash even more destructive attacks in the months and years to come.
Enterprises that rely on hosted infrastructure or services need to start asking the tough questions of their hosting or data center providers, as to how they will be properly protected when a DDoS attack strikes. As we’ve seen on numerous occasions, hosted customers are simply relying on their provider to ‘take care of the attacks’ when they occur, without fully understanding the ramifications of turning a blind eye to this type of malicious behavior.
Here are three key steps for providers to consider to better protect their own infrastructure, and that of their customers:
- Eliminate the delays incurred between the time traditional monitoring devices detect a threat, generate an alert and an operator is able to respond; reducing initial attack impact from hours to seconds by deploying appliances that both monitor and mitigate DDoS threats automatically. Your mitigation solution should allow for real-time reporting alert and event integration with back-end OSS infrastructure for fast reaction times and the clear visibility needed to understand the threat condition and proactively improve DDoS defenses.
- Deploy your DDoS mitigation inline. If you have out-of-band devices in place to scrub traffic, deploy inline threat detection equipment quickly that can inspect, analyze and respond to DDoS threats in real-time.
- Invest in a DDoS mitigation solution that is architected to never drop good traffic. Providers should avoid the risk of allowing the security equipment to become a bottleneck in delivering hosted services and always allowing legitimate traffic to pass un-interrupted, a “do no harm” approach to successful DDoS defense.
Enterprises rely on their providers to ensure availability and ultimately protection against DDoS attacks and cyber threats. With a comprehensive first line of defense against DDoS attacks deployed, you are protecting your customers from damaging volumetric threats directed at or originating from or within your networks.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.