Required DDoS Counter-Measure Needs Counter-Counter-Measure
DDoS attacks have grown so vast that enterprises have no legitimate option but to offload at least some traffic to the cloud as a necessary counter-measure. What's less well understood is that doing so creates a new risk: when a company moves to the cloud to mitigate network security attacks, other companies doing business with the same cloud provider create new potential vulnerabilities.
There are three basic categories of distributed denial of service (DDoS) attacks, explains David DeSanto, a network security expert working for Spirent Communications plc . A volumetric attack aims to overwhelm an enterprise network with traffic, consuming so much bandwidth the company cannot sustain legitimate business. A protocol attack aims to take advantage of a legitimate function; an example would be an attack that keeps opening TCP sessions that never get completed, consuming network resources that are now unavailable for legitimate traffic. An applications attack is one that takes advantage of a vulnerability or flaw in an application.
All three can be mitigated in the cloud, with the exception of the largest volumetric attacks, which have become so huge they can only be mitigated by using the cloud.
The biggest volumetric DDoS attack thus far was over 500 Gbit/s. Another recent attack might prove to have been over 600 Gbit/s. "No on-site solution can deal with that," DeSanto says.
Nobody wants to buy more of anything than they need, and that includes bandwidth. Companies commonly elect to buy capacity in a shared cloud resource, because buying dedicated resources can be expensive and -- from a cost-only perspective -- inefficient, if not wasteful.
Many companies naturally opt for the flexible, resource-sharing plans.
Cloud service providers give their customers access to hypervisors, the tools used to monitor and sometimes control virtual machines (VMs) running in the cloud.
DeSanto says that there have been demonstrated instances of hypervisors being misconfigured or not configured well, and that opens up a particular vulnerability -- Cloud Customer A can sometimes get access to Cloud Customer B's communications.
"You're only as secure as your neighbor," DeSanto said, "unless you're on your own cluster."
DeSanto says most of the known problems in hypervisor configuration have been fixed, though he adds that the root problem is inherent in the system, and for all anybody knows, there might be others that have yet to be discovered.
Seems like a situation in which you're damned if you do and damned if you don't. But maybe it's more like darned if you do, damned if you don't, because if you're a company looking at the cloud for DDoS mitigation, you do have some options to protect yourself.
Buy dedicated resources if you can. If that's not practical, make sure you have as much access to network information as you can get, so you can detect intrusions and developing DDoS attacks.
And run tests on your environment, pre-deployment and afterwards. Penetration testing is recommended. Spirent's CyberFlood product was designed for security and app performance testing, on network Layers 4 through 7.
— Brian Santo, Senior Editor, Components, T&M, Light Reading