For the second consecutive year, botnet-driven volumetric flood and application-layer Distributed Denial of Service (DDoS) attacks are the fastest-growing DDoS attack vector and continue to be the most significant problems facing network operators. An application-layer DDoS attack is often more challenging to detect using traditional flow-based techniques in the cloud because it usually does not produce a significantly higher traffic rate. Yet, it can still bring down the targeted services.
These application-layer attacks on data centers have led to significant outages, customer churn and revenue loss. Additionally, enterprises point to the DDoS threat to the data center – interrupting the availability of services and data – as one of the biggest obstacles when looking to move to a cloud-based infrastructure. Let’s examine how a solution that bridges the gap between the enterprise data center edge and the service provider cloud can ensure the availability of data center services and applications by mitigating DDoS attacks.
From the Edge to the Cloud: The Call for Comprehensive DDoS Protection
For many large companies and institutions, the WikiLeaks-inspired DDoS attacks and counterattacks have been a sobering wake-up call. While very high profile, the WikiLeaks attacks only represent a small percentage of the overall DDoS attack landscape. More commonly, volumetric flood DDoS attacks exceed the aggregate inbound bandwidth capacity of most Internet service providers (ISPs), hosting providers, data center operators, enterprises, application service providers (ASPs), and government institutions that interconnect most of the Internet’s content.
At the other end of the spectrum, application- and service-layer DDoS attacks focus on degrading the back-end computation, database and distributed storage resources of Web-based services. For example, service or application-level attacks may cause an application server to patiently wait for client data – thus causing a processing bottleneck.
Detecting and mitigating the most damaging attacks is a challenge that must be shared by network operators, hosting providers and enterprises. The world’s leading carriers generally use specialized, high-speed mitigation infrastructure – and sometimes the cooperation of other providers – to detect and block attack traffic. Beyond ensuring that their providers have these capabilities, enterprises must deploy intelligent DDoS mitigation systems (IDMS) to protect critical applications and services.
Until now, no comprehensive threat resolution mechanism has existed that completely addresses application-layer DDoS attacks at the edge, and volumetric DDoS attacks in the cloud. True, many data center operators have purchased DDoS protection services from their ISP or MSSP, but they lack a single dashboard to provide the visibility to stop targeted application attacks as well as upstream volumetric threats that can be distributed across multiple providers.
Enter the next evolutionary step in addressing this complex challenge.
Cloud Signaling: A Faster, Automated Way to Provide a Comprehensive DDoS Mitigation
Cloud signaling addresses the need for a coordinated response to both aspects of today’s increasingly complex DDoS threat – the magnitude of the largest volumetric attacks and the sophistication of the latest in application-layer denial of service attacks. It is an efficient and integrated system, bridging the customer premise to the service provider cloud. Cloud signaling enables data center operators to reduce the time to mitigation, and increase the effectiveness of DDoS protection—resulting in major operational cost-savings and preserving their company’s reputation.
The following hypothetical scenario demonstrates the need for cloud signaling from the customer perspective. An engineer working at a data center operator notices that critical services such as corporate sites, mail, and DNS are no longer accessible. After a root cause analysis, he realizes that the company’s servers are under a significant DDoS attack. Because his company’s services are down, the entire company and even customers are suddenly watching every move. The data center engineer must work with customer support centers from multiple upstream ISPs to coordinate a broad DDoS mitigation response to stop the attack. Simultaneously, the data center engineer must provide constant situational updates internally to management teams and application owners. To be effective, the engineer must also have the right internal tools available in front of the firewalls to stop the application-layer attack targeting the servers. All of this must be done in a high-pressure, time-sensitive environment.
The same scenario would be quite different if the data center engineer had the option of cloud signaling. Once he discovered that the source of the problem is a DDoS attack, the engineer could choose to mitigate the attack in the cloud by triggering a cloud signal to the IDMS infrastructure in the provider network. The attack would immediately diminish or disappear altogether from the data center’s access links, protecting availability and restoring services. This would remove internal pressures from executive leadership and application managers from the engineer, allowing him to communicate with the upstream cloud provider, get situational awareness about the attack and fine tune the cloud defense.
The engineer would also benefit from real-time monitoring of the attack mitigation, as well as granular post-mortem reports with details of the attack and the steps taken to mitigate the attack. This helps him maintain control and in command of the event, as well as establish best practices. In a nut shell, cloud signaling enables the data center operator to reduce time to mitigation and increase the effectiveness of response against DDoS threats, saving the company from major operational expense and preserving the company’s reputation.
Bridging the Gap: A Closer Look
The only way for data center and cloud operators to have optimal protection against DDoS attacks is through a combination of on-premise and in-cloud protection. The best practice to ensure cloud signaling integrity is to provision a separate out-of-band management network between the data center and the cloud provider. This guarantees that the cloud signaling component remains available even when the entire data center link is saturated in both directions, or completely offline.
The edge appliance can maintain operational and management capabilities when the network is under attack. In many cases, it can detect the attack before the stateful firewall is overwhelmed. Many availability attacks only flood the downstream communications while upstream communications are still available. However, it is very possible that an attack could consume most of the bandwidth available to the data center.
To limit the impact of this, a cloud signaling protocol makes use of state-less protocols for communication, with persistent retries performed by the application layer if congestion is noted. The protocol is used to facilitate both customer edge mitigation of application-layer attacks and upstream mitigation of volumetric attacks in an automated and real-time manner.
High-profile attacks from Anonymous, Lulzsec, and other rouge groups demonstrate the clear need for effective DDoS solutions. As miscreants advance the techniques to conduct DDoS attacks and have more motivations to launch them, data center operators and service providers must find new ways to identify and mitigate evolving DDoS threats. The addition of cloud signaling into the ISP/MSSP portfolio further strengthens the overall managed DDoS service by providing customers with complete DDoS protection from a single dashboard. Cloud Signaling empowers data center operators to quickly address both high-bandwidth attacks and targeted application-layer attacks in a simpler, automated and real-time manner, while enabling MSSPs to significantly grow the revenue generated by their managed DDoS protection offering.