Getty Images/iStockphoto

Tip

How to protect against cloud DDoS attacks

Cloud DDoS protection enables companies to detect and mitigate DDoS attacks before they cause significant downtime, infrastructure issues and potential business losses.

Many organizations continue to experience DDoS attacks, which lead to disruption of business applications and services in the cloud. Malicious actors often initiate DDoS attacks to flood networks, systems and applications with more traffic, connections or requests than they can handle. Cloud DDoS protection is a must-have control to ensure network and application continuity and resilience.

As companies migrate to the cloud and rely more on cloud services, they realize the added threat of DDoS in cloud service environments. These threats are similar to traditional on-premises environments but differ in two ways. First, cloud DDoS attacks can lead to higher costs due to an increase in cloud service utilization. Second, many teams need more assistance from cloud service providers (CSPs) compared to the traditional DDoS response that may rely on a combination of in-house and ISP response.

Let's look at how CSPs provide cloud DDoS defenses and what companies should look for from them to ensure minimal business impact following an attack.

How CSPs provide cloud DDoS protection

To combat cloud DDoS threats, leading cloud providers offer DDoS protection services that can help protect cloud accounts and tenants in a wholly native and integrated solution. AWS offers its AWS Shield service for DDoS protection, while Microsoft Azure offers Azure DDoS Protection and Google Cloud has the Cloud Armor DDoS protection service.

While CSPs offer basic DDoS protection free of charge, most advanced services, such as customized traffic controls and incident support, come at an additional cost. Providers' standard plans are included for all tenants and defend against the most common, frequently occurring network and transport layer DDoS attacks that target sites and applications.

The advanced plans, however, have additional features, including the following:

  • Additional capacity for large DDoS events.
  • Native integration with web application firewalls and other network security controls.
  • Forensic and historical reporting.
  • Assistance from the CSP's incident response teams.
  • Limited cost protection for charges incurred during an attack.

As the outermost layer of a defense-in-depth network protection model, cloud DDoS protection services can help improve the availability and resiliency of the entire cloud network infrastructure. Some organizations opt for DDoS coverage with content delivery network providers, such as Cloudflare and Akamai. But cloud-native DDoS protection is getting better all the time, and more organizations consider these services as viable options.

What to look for in a cloud-based DDoS defense service

With many different types of DDoS detection and mitigation services, providers' options have a lot of variation. When considering a cloud-based DDoS provider, look at the following:

  • Cost. Some service providers charge a monthly flat fee, with additional costs for mitigation and remediation. Others charge for the amount of traffic bursting used, services employed, and the number of sites and services covered.
  • Vendor maturity. Some vendors, such as Akamai, have been combating DDoS attacks for many years, while others may be newer and less experienced in this space. The age of a vendor doesn't dictate whether it will be effective for an organization, but ask for customer references and examples when the vendor successfully defended different types of attacks.
  • Capabilities and features. Organizations should look for DDoS defenses that encompass more than volumetric attacks. While they are the most prevalent, other types of attacks are emerging, such as targeting the application layer and protocols. Any enterprise-class DDoS defense service should be able to handle some variations of all the attacks. In addition, many services offer management tools, reporting dashboards, threat intelligence briefings and additional research.
  • Response capabilities and experience. Response service-level agreements are important and so is experience. Organizations should ensure DDoS response services are staffed by experienced analysts with a history of defending against large-scale and sophisticated DDoS attacks.

DDoS attacks will continue in the future, whether fueled by criminal goals, political mischief or other motives. At the same time, the severity and sophistication of these attacks continues to grow, and many organizations are not well equipped to handle them.

Using a cloud-based DDoS defense service may prove to be an effective security control for preventing, detecting and responding to these attacks, whether an organization has on-premises protection or not. For protecting IaaS and PaaS assets, services available from their provider's environments are often affordable and capable options to consider.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.

Next Steps

DDoS mitigation: How to stop DDoS attacks

Dig Deeper on Cloud security