Protecting cloud networks against DDoS and DoS attacks

DDoS and DoS attacks are simple to implement but more difficult to prevent. How can these attacks on cloud services be avoided?

What is the difference between DDoS and DoS attacks on cloud services? Is it more difficult to prevent DDoS or DoS attacks?

DoS and DDoS are both denial-of-service attacks. The attacks work by requesting so many resources from a server that the server cannot respond to legitimate requests. A DoS is an attack that originates from a single device. A distributed DoS (or DDoS) involves malicious traffic from multiple devices.

DoS and DDoS attacks can be surprisingly simple to implement. For example, an attacker can send large volumes of connection requests to overwhelm a server. Programs can be designed to send synchronization (SYN) packets to the target, which, in turn, will reply with another packet known as SYN/ACK. The server then waits for a response from the originating system that never arrives. The bogus connection request will eventually time out, but in the meantime, that connection is not available to legitimate users. If enough malicious SYN packets are sent, they can consume all of the available connections, effectively denying any legitimate connection requests.

When an attack originates from a single device, cloud security pros can simply block its IP address. The traffic may arrive at your cloud network firewall, but that is as far as it would get. However, when attacks are distributed across a large number of devices, that simple blocking technique will not work because there is no one IP address to block. Attackers can launch DDoS using botnets, also known as a zombie army, which are sets of computers that can be used to simultaneously flood a target server with network traffic.

In the case of DDoS attacks, sometimes security pros can target command and control computers within a botnet, disrupting operations. But identifying command and control devices takes time. Even when they are identified and eliminated, some botnets are designed to detect a failed command and promote another member of the botnet to be a command and control server. There also may be multiple command and control servers running at any time, providing additional resiliency to the botnet.

Alternative security techniques must be used in case of a DDoS attack, such as deep packet inspection and application hardware placed on the network to analyze packets. These measures must be designed to scale to the level of attack, so they are not overwhelmed by malicious traffic.

About the author:
Dan Sullivan holds a master of science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.

Dig Deeper on Cloud infrastructure design and management