& cplSiteName &

Required DDoS Counter-Measure Needs Counter-Counter-Measure

Brian Santo
7/26/2016
50%
50%

DDoS attacks have grown so vast that enterprises have no legitimate option but to offload at least some traffic to the cloud as a necessary counter-measure. What's less well understood is that doing so creates a new risk: when a company moves to the cloud to mitigate network security attacks, other companies doing business with the same cloud provider create new potential vulnerabilities.

There are three basic categories of distributed denial of service (DDoS) attacks, explains David DeSanto, a network security expert working for Spirent Communications plc . A volumetric attack aims to overwhelm an enterprise network with traffic, consuming so much bandwidth the company cannot sustain legitimate business. A protocol attack aims to take advantage of a legitimate function; an example would be an attack that keeps opening TCP sessions that never get completed, consuming network resources that are now unavailable for legitimate traffic. An applications attack is one that takes advantage of a vulnerability or flaw in an application.

All three can be mitigated in the cloud, with the exception of the largest volumetric attacks, which have become so huge they can only be mitigated by using the cloud.

The biggest volumetric DDoS attack thus far was over 500 Gbit/s. Another recent attack might prove to have been over 600 Gbit/s. "No on-site solution can deal with that," DeSanto says.

Nobody wants to buy more of anything than they need, and that includes bandwidth. Companies commonly elect to buy capacity in a shared cloud resource, because buying dedicated resources can be expensive and -- from a cost-only perspective -- inefficient, if not wasteful.

Many companies naturally opt for the flexible, resource-sharing plans.

Cloud service providers give their customers access to hypervisors, the tools used to monitor and sometimes control virtual machines (VMs) running in the cloud.

DeSanto says that there have been demonstrated instances of hypervisors being misconfigured or not configured well, and that opens up a particular vulnerability -- Cloud Customer A can sometimes get access to Cloud Customer B's communications.

"You're only as secure as your neighbor," DeSanto said, "unless you're on your own cluster."


Want to know more about the latest developments in T&M, service assurance, monitoring, and other test issues? Check out our dedicated test channel here on Light Reading.


DeSanto says most of the known problems in hypervisor configuration have been fixed, though he adds that the root problem is inherent in the system, and for all anybody knows, there might be others that have yet to be discovered.

Seems like a situation in which you're damned if you do and damned if you don't. But maybe it's more like darned if you do, damned if you don't, because if you're a company looking at the cloud for DDoS mitigation, you do have some options to protect yourself.

Buy dedicated resources if you can. If that's not practical, make sure you have as much access to network information as you can get, so you can detect intrusions and developing DDoS attacks.

And run tests on your environment, pre-deployment and afterwards. Penetration testing is recommended. Spirent's CyberFlood product was designed for security and app performance testing, on network Layers 4 through 7.

— Brian Santo, Senior Editor, Components, T&M, Light Reading

(0)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Featured Video
Flash Poll
Upcoming Live Events
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 6, 2018, London, United Kingdom
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
March 12-14, 2019, Denver, Colorado
All Upcoming Live Events
Partner Perspectives - content from our sponsors
One Size Doesn't Fit All – Another Look at Automation for 5G
By Stawan Kadepurkar, Business Head & EVP, Hi-Tech, L&T Technology Services
Prepare Now for the 5G Monetization Opportunity
By Yathish Nagavalli, Chief Enterprise Architect, Huawei Software
Huawei Mobile Money: Improving Lives and Accelerating Economic Growth
By Ian Martin Ravenscroft, Vice President of BSS Solutions, Huawei
Dealer Agent Cloud – Empower Your Dealer & Agent to Excel
By Natalie Dorothy Scopelitis, Director of Digital Transformation, Huawei Software
All Partner Perspectives