Denial-of-Service Attacks Meet the Cloud: 4 Lessons
An old standby of cyber criminals--the denial-of-service attack--has become a new worry for data center operators.
As companies increasingly use virtualized data centers and cloud services, new weaknesses have opened up in enterprise infrastructure. At the same time, denial-of-service attacks are moving from brute-force floods of data to more skillful attacks on application infrastructure.
The combination is increasingly threatening for the companies that are placing critical business data outside their facilities, leaving their business reliant on continuing communications. In addition, with multi-tenant services becoming more common, attacks aimed at one company could dramatically impact the services of an unrelated, but co-located, firm.
"Enterprises continue to cite security and availability as the top barrier to adoption of cloud computing," Rob Ayoub, Global Program Director for Information Security research at Frost & Sullivan said in a statement. "Given these concerns, hosting and other data center operators today must have the ability to mitigate attacks without interrupting customer facing services."
The most obvious attacks continue to be floods of data that hammer a victim's network, overwhelming the company's connection to its upstream provider. The growth in brute-force denial-of-service attacks, which can be seen in the increase in domain name lookups, is so great that Internet infrastructure company VeriSign remarked on the trend in its recent Domain Name Industry Brief.
Distributed denial-of-service attacks "probably make up a few percent of our traffic," says Ken Silva, chief technology officer of VeriSign. "It is a minor pollution problem for us, but it's a big pollution problem for the victim."
The best solution is to hunt down the attackers, an admittedly difficult proposition in the world of botnets and anonymous proxies. Yet, there are other ways, say experts. Here are four lessons for the new-old world of DDoS attacks.
1. DDoS attacks are easy
In the past, the computers used in distributed denial-of-service attacks were generally compromised by a single worm. When the worm was cleaned from enough systems, the attacker's ability to continue swamping a network ended.
Yet, with the rise of persistent botnets and the leasing of those botnets to attackers, criminals can flood a victim's network at will. Moreover, overwhelming a single network connection has become easier, especially with the dramatic increase in DDoS attack bandwidth, says Paul Sop, chief technology officer of network protection service Prolexic.
"People don't understand how easy it is for attackers to ramp up the bandwidth to knock you out," says Sop.
In 2005, the traffic seen by victims during an attack peaked at 3.5 Gbps. In 2006, that jumped to more than 10 Gbps, limited in many cases by the capabilities of Internet backbone links. In 2009, Arbor Networks detected more than 2,700 attacks in excess of 10 Gbps.
2. Specific apps targeted
Today, however, the danger is increasingly from denial-of-service attacks that focus on resource-intensive parts of a company's infrastructure to overwhelm key servers and services. Attackers are using low-bandwidth attacks on specific applications to take down a victim's online services.
For example, abusing secure HTTP requests can overwhelm a company's servers and routers or creating an attack that opens a multitude of account-creation requests can hang many applications, says Prolexic's Sop.
"These guys in the past have learned how to knock (victims) out with a Mike Tyson punch, but over the last three years, we have seen others who just blow on the right part of a site and knock it over," he says. "Real attackers attack the application itself."
3. Understand co-location realities
In the cloud, companies have to worry not just about attacks on their resources, but also about attacks on co-located tenants. Companies that use a co-location service must make sure the facility has adequate protection, of course. Physical servers may hold multiple customers' virtual machines, and providers take different approaches to ensuring safe space between VMs and handling related compliance issues for customers in regulated industries.
"Those providers have a lot of customers hosted on shared platform," Sop says.
While it's unlikely that companies will be able to know their neighbors, vetting their data center landlord's defenses should be a first step. It's also critical to understand what aspects of security remain your responsibility, not the co-location provider's.
4. Look to the cloud to help the cloud
While the movement to cloud computing has created weaknesses in business infrastructure, increasing the criticality of corporate connections to the Internet, cloud computing's ability to quickly provision resources and collect expertise in key areas also helps mitigate the threat, says Silva.
"You can have the best data center in the world, but you can put in only so much bandwidth on a per-data-center basis," he says.
Instead, companies should contract with a bandwidth-as-a-service provider, whether its a content distribution network such as Akamai or a purer infrastructure play such as VeriSign's offering, he says.
"I think the lesson for CIOs is that the only real and right way to mitigate denial-of-service attacks is in the cloud, whether that is a cloud that you create or one that you buy," Silva says.
The lesson for every data center operator is that, if the attacks reach your network connection to the Internet, it's too late, say Prolexic's Sop.
"The worst thing a victim can do is fight the battle on their front door," Sop says.
Follow everything from CIO.com on Twitter @CIOonline.