How to protect against cloud DDoS attacks

How CSPs provide cloud DDoS protection

To combat cloud DDoS threats, leading cloud providers offer DDoS protection services that can help protect cloud accounts and tenants in a wholly native and integrated solution. AWS offers its AWS Shield service for DDoS protection, while Microsoft Azure offers Azure DDoS Protection and Google Cloud has the Cloud Armor DDoS protection service.

While CSPs offer basic DDoS protection free of charge, most advanced services, such as customized traffic controls and incident support, come at an additional cost. Providers' standard plans are included for all tenants and defend against the most common, frequently occurring network and transport layer DDoS attacks that target sites and applications.

The advanced plans, however, have additional features, including the following:

• Additional capacity for large DDoS events.
• Native integration with web application firewalls and other network security controls.
• Forensic and historical reporting.
• Assistance from the CSP's incident response teams.
• Limited cost protection for charges incurred during an attack.

As the outermost layer of a defense-in-depth network protection model, cloud DDoS protection services can help improve the availability and resiliency of the entire cloud network infrastructure. Some organizations opt for DDoS coverage with content delivery network providers, such as Cloudflare and Akamai. But cloud-native DDoS protection is getting better all the time, and more organizations consider these services as viable options.

What to look for in a cloud-based DDoS defense service

With many different types of DDoS detection and mitigation services, providers' options have a lot of variation. When considering a cloud-based DDoS provider, look at the following:

• Cost. Some service providers charge a monthly flat fee, with additional costs for mitigation and remediation. Others charge for the amount of traffic bursting used, services employed, and the number of sites and services covered.
• Vendor maturity. Some vendors, such as Akamai, have been combating DDoS attacks for many years, while others may be newer and less experienced in this space. The age of a vendor doesn't dictate whether it will be effective for an organization, but ask for customer references and examples when the vendor successfully defended different types of attacks.
• Capabilities and features. Organizations should look for DDoS defenses that encompass more than volumetric attacks. While they are the most prevalent, other types of attacks are emerging, such as targeting the application layer and protocols. Any enterprise-class DDoS defense service should be able to handle some variations of all the attacks. In addition, many services offer management tools, reporting dashboards, threat intelligence briefings and additional research.
• Response capabilities and experience. Response service-level agreements are important and so is experience. Organizations should ensure DDoS response services are staffed by experienced analysts with a history of defending against large-scale and sophisticated DDoS attacks.

DDoS attacks will continue in the future, whether fueled by criminal goals, political mischief or other motives. At the same time, the severity and sophistication of these attacks continues to grow, and many organizations are not well equipped to handle them.

Using a cloud-based DDoS defense service may prove to be an effective security control for preventing, detecting and responding to these attacks, whether an organization has on-premises protection or not. For protecting IaaS and PaaS assets, services available from their provider's environments are often affordable and capable options to consider.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.