Essential Guide

Browse Sections
Tip

Cloud DDoS protection: What enterprises need to know

DDoS attacks are a continuing problem, and enterprises should consider using cloud DDoS protection services. Expert Frank Siemons discusses the cloud options.

The exponential growth of distributed denial-of-service attacks -- there are up to 50 times more attacks now than there were 10 years ago -- has many organizations worried about when they will be the next target. For many of these organizations, it is only a matter of time before they are a victim of a distributed denial-of-service, or DDoS, attack -- and when their number does come up, how prepared are they and how prepared could they actually be?

A DDoS attack against a BBC website in 2016 reached a peak of 602 gigabits per second (Gbps), making it the largest DDoS attack in history. A well-organized and targeted DDoS attack could easily fire a sustained 100 Gbps of traffic at its victim. Even though the average connection bandwidth for organizations has grown at almost the same pace, the sophistication and specifically targeted characteristics of these attacks mean they are continually becoming harder to deal with. Businesses need to either invest a huge amount of resources in dedicated hardware, software and specialist skills, or outsource these DDoS protection services to a third party. Because third parties can spread out the costs of their high-capacity infrastructure over many customers that are unlikely to be all under attack at the same time, this is usually the most viable option for small, medium and even some larger enterprises.

Cloud DDoS protection services add-ons

Public cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure and Rackspace have been ideally placed to pick up this growing demand. They are competing with specialized cloud DDoS protection providers such as Cloudflare, but with one main benefit: the customer already has an agreement for one or more products such as IaaS or SaaS with that CSP. That means DDoS protection services are just more add-ons to that existing contract. Most of the technical side, such as routing traffic, can all be handled by the public cloud service provider as well, without the need for another party to be involved.

Companion article

See Infosec Institute's accompanying article on Cloud originated DDoS attacks

In some cases, a cloud service provider may choose to outsource DDoS protection services to a specialized provider such as Cloudflare or Imperva. Even if this is the case, the public cloud customer still does not need to worry.

Potential benefits of cloud-based DDoS protection

One benefit of using cloud DDoS protection, apart from the ease-of-use of keeping the amount of service providers limited, is that CSPs knows their network, indirectly monitor it for potential DDoS attacks and have more control over available mitigation actions. In the case of a sustained attack that takes place over many days, weeks or even months, there will also be some options such as a quick relocation to another virtual network or to another actual data center.

Another important factor organizations should consider is who will foot the bill for the potentially enormous increase in data due to a DDoS attack. This issue is more complex. Although many CSPs allow for unexpectedly high charges to be dropped in the case of a DDoS attack, this is easier to manage and prove when the CSP handles the DDoS attack and its potential mitigation. This will require the customer to do some further provider-specific research. For example, some CSPs don't charge for inbound traffic, which is an important consideration.

Available options for cloud DDoS protections

John Pescatore discusses local and cloud-based DDoS mitigation strategies and the value of preparedness.

This platform-wide protection does not cover individual customers and their own specific configurations, requirements and priorities. The customers will need to deal further attacks such as application-based DDoS attacks, which are more customized and targeted toward their publicly hosted services. Imagine a low to medium bandwidth DDoS attack specifically targeted at a customer's website using the HTTP protocol. Not knowing the website specifics, the CSP might not notice the attack. How would the CSP security team know this is an attack and not a popular online sale without having an in-depth knowledge of the service? If it actually detects an attack, it might not be authorized or knowledgeable enough to take custom mitigation actions. This means a customized cloud DDoS protection service is required. Most of the larger public cloud service providers have optional per-customer DDoS protections available, usually for an additional fee. This will provide the customer with bespoke DDoS protection profiles, in-depth analysis and alerting capabilities which match the customer's own organizational structure and requirements.

It is not hard to see that it is well worth researching public cloud DDoS protection offerings, especially if they already manage most of the existing cloud services. Of course, not all organizations will have their main online services hosted within a public cloud infrastructure. Think, for instance, of a private cloud configuration, or a customer-managed data center. In that case, other benefits of a third party or a self-managed DDoS protection could stand out. There are enough options out there, it is just a matter of weighing them all against each other.

Next Steps

Check out this essential guide to defending an organization against DDoS attacks

Find out what enterprises need to consider before implementing DDoS mitigation services

Learn why the DDoS attack threat cannot be ignored

Dig Deeper on Security operations and management