By Rakesh Shah
Recent high-profile security incidents heightened awareness of how Distributed Denial of Service (DDoS) attacks can compromise the availability of critical websites, applications and services. Any downtime can result in lost business, brand damage, financial penalties, and lost productivity. For many large companies and institutions, DDoS attacks have been a sobering wake-up call, and threats to availability are also one of the biggest potential hurdles before moving to, or rolling out a cloud infrastructure.
Arbor Networks’ sixth annual Worldwide Infrastructure Security Report shows that DDoS attacks are growing rapidly and can vary widely in scale and sophistication. At the high end of the spectrum, large volumetric attacks, reaching sustained peaks of 100 Gbps have been reported. These attacks exceed the aggregate inbound bandwidth capacity of most internet service providers (ISPs), hosting providers, data center operators, enterprises, application service providers (ASPs) and government institutions that interconnect most of the Internet's content.
At the other end of the spectrum, application and service-layer DDoS attacks focus not on denying bandwidth but on degrading the back-end computation, database and distributed storage resources of Web-based services. For example, service or application-level attacks may cause an application server to patiently wait for client data – thus causing a processing bottleneck. Application-layer attacks are the fastest-growing DDoS attack vector.
Detecting and mitigating the most damaging attacks is a challenge that must be shared by network operators, hosting providers and enterprises. The world’s leading carriers generally use specialized, high-speed mitigation infrastructures – and sometimes the cooperation of other providers – to detect and block attack traffic. Beyond ensuring that their providers have these capabilities, enterprises must also deploy intelligent DDoS mitigation systems to protect critical applications and services.
Why Existing Security Solutions Can’t Stop DDoS Attacks
Why can’t enterprises protect themselves against DDoS attacks when they have sophisticated security technology? Enterprises continuously deploy products like firewalls and intrusion prevention systems (IPS), but the attacks continue. While IPS, firewalls and other security products are essential elements of a layered-defense strategy, they do not solve the DDoS problem. Because they are designed to protect the network perimeter from infiltrations and exploits and to be policy enforcement points in the security portfolio of organizations, they leverage stateful traffic inspection technologies to enforce network policy and integrity. This makes these devices susceptible to state resource exhaustion, which results in dropped traffic, device lock-ups and potential crashes.
The application-layer DDoS threat actually amplifies the risk to data center operators. That’s because IPS devices and firewalls become more vulnerable to the increased state demands of this emerging attack vector – making the devices themselves more susceptible to the attacks. Moreover, there is a distinct gap in the ability of existing edge-based solutions to leverage the cloud’s growing DDoS mitigation capacity, the service provider’s DDoS infrastructure or the dedicated DDoS mitigation capacity deployed upstream of the victim’s infrastructure.
Current solutions do not take advantage of the distributed computing power available in the network and cannot coordinate upstream resources to deflect an attack before saturating the last mile. No existing solution enables both DDoS mitigation at the edge and in the cloud.
Cloud Signaling: A Faster, Automated Approach to Comprehensive DDoS Mitigation
Enterprises need comprehensive, integrated protection from the data center edge to the service provider cloud. For example, when data center operators discover they are under a service-disrupting DDoS attack, they should be able to quickly mitigate the attack in the cloud by triggering a signal to upstream infrastructure of their provider’s network.
The following scenario demonstrates the need for cloud signaling from an enterprise’s perspective. A network engineer notices that critical services such as corporate sites, email and DNS are no longer accessible. After a root cause analysis, the engineer realizes that its servers are under a significant DDoS attack. Because its external services are down, the entire company, along with its customers, are suddenly watching every move. He must then work with customer support centers from multiple upstream ISPs to coordinate a broad DDoS mitigation response to stop the attack.
Simultaneously, he must provide constant updates internally to management teams and various application owners. To be effective, the engineer must also have the right internal tools available in front of the firewalls to stop the application-layer attack targeting the servers. All of this must be done in a high-pressure, time-sensitive environment.
Until now, no comprehensive threat resolution mechanism has existed that completely addresses application-layer DDoS attacks at the data center edge, and volumetric DDoS attacks in the cloud. True, many data center operators have purchased DDoS protection services from their ISP or MSSP. But they lack a simple mechanism to connect the premises to the cloud and a single dashboard to provide visibility. These capabilities can stop targeted application attacks as well as upstream volumetric threats that can be distributed across multiple providers.
The previous hypothetical scenario would be quite different if the data center engineer had the option of signaling to the cloud. Once he discovered that the source of the problem is a DDoS attack, the engineer could choose to mitigate the attack in the cloud by triggering a cloud signal to the provider network. The cloud signal would include details about the attack to increase the effectiveness of the provider’s response. This would take internal pressure off the engineer from management and application owners. It would also allow the engineer to communicate with the upstream cloud provider to give more information about the attack and fine-tune the cloud defense.
As DDoS attacks become more prevalent, data center operators and service providers must find new ways to identify and mitigate evolving DDoS attacks. Vendors must empower data center operators to quickly address both high-bandwidth attacks and targeted application-layer attacks in an automated and simple manner. This saves companies from major operational expense, customer churn and revenue loss. It’s called Cloud Signaling and it’s the next step in protecting data centers in the cloud, including revenue-generating applications and services.
Rakesh Shah has been with Arbor Networks since 2001, helping to take products from early stage to category-leading solutions. Before managing the product marketing group, Shah was the director of product management for Arbor's Peakflow products, and he was also a manager in the engineering group. Previously, Shah held various engineering and technical roles at Lucent Technologies and CGI/AMS. He holds a MEng from Cornell University and a BS from the University of Illinois at Urbana-Champaign, both in electrical and computer engineering.