Modern businesses are increasingly dependent on the continuous availability of their systems and services. Entire business models often depend on the respective websites, platforms, etc. are continuously accessible to customers. Therefore, the availability of systems is the Achilles heel targeted by cybercriminals with Distributed Denial of Service (DDoS) attacks. Hackers make numerous requests to a system through various sources, to the point of overloading it and making it unable to respond to regular requests at all or only after a long delay. According to an analysis by Netscout, in 2020 there were more than 10 million such attacks on organizations worldwide, an increase of 22% over the previous year.
Cybercriminals have taken advantage of the massive changes in internet use that have come about as a result of the pandemic, especially with remote work, with many companies neglecting security precautions. A joint study by techconsult and IONOS, for example, shows that the IT security and management solutions used so far often do not do justice to the new reality.
In response to the new world of work, many companies are increasingly turning to cloud services to be able to run their applications in a more flexible, scalable and cost-effective way. But these cloud platforms also need protection against DDoS attacks.
Effectively secure cloud platforms against DDoS attacks
Due to the increasing cooperation of companies with cloud service providers, the security mechanisms that they have put in place to protect their platforms and the customer applications that run on them are becoming more important. Especially against DDoS attacks, cloud providers can put in place effective safeguards, especially if the provider not only has data centers but also its own backbone.
Own Backbone: Distributed Fight Against Distributed Attacks
The basic requirement to combat DDoS attacks as effectively as possible is for the cloud provider to detect them as early as possible, and also to be able to counter attacks, which are often carried out by globally distributed botnets, at multiple points.. Therefore, the largest possible coverage of the backbone network in different regions is advantageous. Through the different access points along the backbone network, the cloud provider not only has a single Internet access point, which can quickly become a bottleneck in the event of a large DDoS attack, but also that can counter the attack in a decentralized way.
Another advantage is that the cloud provider has its own backbone for data transmission: the traffic generated in the course of DDoS attacks is not only detected as soon as it reaches the data center, but is already on its way in the router. This allows cloud providers to take action at an early stage.
If there is no backbone of their own, cloud providers often have to resort to so-called blackholing in case of DDoS attacks: in this case, all traffic to the services of the attacked client is stopped to protect the rest of the clients and the other infrastructure. However, the client’s affected services can no longer be reached, as in the case of a successful DDoS attack – and the real goal of DDoS defense, keeping the client connected to the network, is lost.
DDoS Defense Platforms: The Extended Line of Defense
The cloud provider’s DDoS defense platform is the core component of defense against DDoS attacks. The essential components of a DDoS defense platform are as follows:
- Debugging center or DDoS traffic filter : All traffic passes through a DDoS traffic filter in which suspicious data traffic is identified, which is then forwarded to the nearest debugging center. It is especially important that only malicious traffic does not have direct access to the data centers, including the respective customer services, so that they continue to function during a DDoS attack. The distinction between good and bad traffic is made at the edge of the network by a data analytics system, where traffic metadata is analyzed and checked for anomalies.
As soon as anomalies are detected during data analysis, the traffic in question is directed directly to the debugging center during a certain time window. This is done in a decentralized way: in the event of a major DDoS attack, all existing debugging centers are directly activated to be prepared against large-scale attacks. Various “washing programs” are executed there: the systems filter malicious traffic at different levels and according to defined criteria. This includes various indicators, such as the origin of the traffic by country, the protocols, the source or destination IP, etc. In addition, a continuous comparison is made with reputation lists (eg spamhaus.org), in which already known DDoS sources are noted.
Once the traffic has passed through the various washing programs, the remaining cleaned traffic is directed to the corresponding data center and, therefore, to the client. Although this approach provides a minimum latency of around 3-4 milliseconds, it keeps the necessary systems up and running even during massive DDoS attacks. Even if all of the malicious traffic could not be filtered, the client’s systems under attack are often able to handle the remaining malicious traffic on their own.
- Continuous attack detection : Since DDoS attacks can strike at any time, continuous real-time monitoring of incoming traffic is necessary. Already in the router, the flow data of the incoming traffic is permanently analyzed and the predefined threshold values for the bits per second and packets per second metrics are continuously checked. Purely targeted scans offer comparatively less protection and should therefore be avoided if possible, as DDoS attacks can then go unnoticed.
- Automatic Damage Limitation – As soon as a DDoS attack is detected at the edge of the network, the DDoS defense platform automatically routes traffic through the scrubbing centers – no manual, potentially error-prone intervention required.
- Common protection against layer 3 and layer 4 attacks : The platform must provide security for all virtual facilities and resources. In particular, this includes protection against DDoS attacks at the network and transport layers, which account for approximately 98% of DDoS attacks overall.
- On-Demand IP-Specific DDoS Filtering : DDoS attacks often arrive at expected times, so certain IP addresses can be specially protected if desired. For example, the sales period of an online store becomes an attractive time to carry out a DDoS attack. To protect yourself, all traffic to this IP address is routed directly through the filtering platform and DDoS traffic is filtered naturally. If desired, only traffic from certain regions can be filtered, for example, if there are already indications in advance about the origin of a possible DDoS attack.
- On-demand attack diagnosis : After DDoS attacks, a detailed report is created based on an analysis, based on which the patterns of the attack in question can be traced and to be able to take even better precautions against such attacks in the future.
- Proactive expert support : The cloud provider proactively checks the customer’s network and reports as soon as a DDoS attack is detected on the network. At the same time, the service is always available to answer questions.
- Cloud platforms : Only include comprehensive DDoS protection.
DDoS attacks are on the rise
The growing interconnectedness of devices also ensures that cybercriminals have more and more devices at their disposal, which they can hijack and use to carry out ever-increasing DDoS attacks. Companies should require their cloud service providers to apply DDoS protection comprehensively and as effectively as possible.
It is advantageous if the cloud provider has its own platform that it can continually develop on its own in order to counter increasingly complex attacks as efficiently as possible. In this way, companies can effectively protect their own data centers, their customers’ ongoing services, and ultimately their business and reputation.
Also Read | 8 tips against phishing attacks to follow