Denial-of-Service attacks meet the cloud: 4 lessons

An old standby of cyber criminals -- the denial-of-service attack -- has become a new worry for data center operators.

An old standby of cyber criminals -- the denial-of-service attack -- has become a new worry for data center operators.

As companies increasingly use virtualized data centers and cloud services, new weaknesses have opened up in enterprise infrastructure. At the same time, denial-of-service attacks are moving from brute-force floods of data to more skillful attacks on application infrastructure.

The combination is increasingly threatening for the companies that are placing critical business data outside their facilities, leaving their business reliant on continuing communications. In addition, with multi-tenant services becoming more common, attacks aimed at one company could dramatically impact the services of an unrelated, but co-located, firm.

"Enterprises continue to cite security and availability as the top barrier to adoption of cloud computing," Rob Ayoub, Global Program Director for Information Security research at Frost & Sullivan said in a statement. "Given these concerns, hosting and other data center operators today must have the ability to mitigate attacks without interrupting customer facing services."

The most obvious attacks continue to be floods of data that hammer a victim's network, overwhelming the company's connection to its upstream provider. The growth in brute-force denial-of-service attacks, which can be seen in the increase in domain name lookups, is so great that Internet infrastructure company VeriSign remarked on the trend in its recent Domain Name Industry Brief.

Distributed denial-of-service attacks "probably make up a few percent of our traffic," says Ken Silva, chief technology officer of VeriSign. "It is a minor pollution problem for us, but it's a big pollution problem for the victim."

The best solution is to hunt down the attackers, an admittedly difficult proposition in the world of botnets and anonymous proxies. Yet, there are other ways, say experts. Here are four lessons for the new-old world of DDoS attacks.

1. DDoS attacks are easy

In the past, the computers used in distributed denial-of-service attacks were generally compromised by a single worm. When the worm was cleaned from enough systems, the attacker's ability to continue swamping a network ended.

Yet, with the rise of persistent botnets and the leasing of those botnets to attackers, criminals can flood a victim's network at will. Moreover, overwhelming a single network connection has become easier, especially with the dramatic increase in DDoS attack bandwidth, says Paul Sop, chief technology officer of network protection service Prolexic.

"People don't understand how easy it is for attackers to ramp up the bandwidth to knock you out," says Sop.

In 2005, the traffic seen by victims during an attack peaked at 3.5 Gbps. In 2006, that jumped to more than 10 Gbps, limited in many cases by the capabilities of Internet backbone links. In 2009, Arbor Networks detected more than 2,700 attacks in excess of 10 Gbps.

2. Specific apps targeted

Today, however, the danger is increasingly from denial-of-service attacks that focus on resource-intensive parts of a company's infrastructure to overwhelm key servers and services. Attackers are using low-bandwidth attacks on specific applications to take down a victim's online services.

For example, abusing secure HTTP requests can overwhelm a company's servers and routers or creating an attack that opens a multitude of account-creation requests can hang many applications, says Prolexic's Sop.

"These guys in the past have learned how to knock (victims) out with a Mike Tyson punch, but over the last three years, we have seen others who just blow on the right part of a site and knock it over," he says. "Real attackers attack the application itself."

3. Understand co-location realities

In the cloud, companies have to worry not just about attacks on their resources, but also about attacks on co-located tenants. Companies that use a co-location service must make sure the facility has adequate protection, of course. Physical servers may hold multiple customers' virtual machines, and providers take different approaches to ensuring safe space between VMs and handling related compliance issues for customers in regulated industries.

"Those providers have a lot of customers hosted on shared platform," Sop says.

While it's unlikely that companies will be able to know their neighbors, vetting their data center landlord's defenses should be a first step. It's also critical to understand what aspects of security remain your responsibility, not the co-location provider's.

4. Look to the cloud to help the cloud

While the movement to cloud computing has created weaknesses in business infrastructure, increasing the criticality of corporate connections to the Internet, cloud computing's ability to quickly provision resources and collect expertise in key areas also helps mitigate the threat, says Silva.

"You can have the best data center in the world, but you can put in only so much bandwidth on a per-data-center basis," he says.

Instead, companies should contract with a bandwidth-as-a-service provider, whether its a content distribution network such as Akamai or a purer infrastructure play such as VeriSign's offering, he says.

"I think the lesson for CIOs is that the only real and right way to mitigate denial-of-service attacks is in the cloud, whether that is a cloud that you create or one that you buy," Silva says.

The lesson for every data center operator is that, if the attacks reach your network connection to the Internet, it's too late, say Prolexic's Sop.

"The worst thing a victim can do is fight the battle on their front door," Sop says.

Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags VeriSignsecurity

More about Akamai TechnologiesArbor NetworksetworkVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts