DDoS attacks are typically designed to inundate servers and entire networks by consuming computing resources through large volumes of traffic, connections, or requests. And so, because cloud infrastructures are assumed to be backed by a large assemblage of such resources, many people believe their servers are less susceptible to these types of attacks if they’re hosted in the cloud. But that’s not entirely true.

If your servers are hosted in a multitenant environment along with a bunch of other servers belonging to other organisations (which is usually the case in a public cloud), your servers could be at risk of collateral damage. If those other servers (note: not yours) are bombarded by a DDoS attack and your cloud service provider (CSP) attempts to absorb the attack, your own servers, which share the same underlying infrastructure with those other servers, could also suffer.

This is exactly what happened in 2016, when the website of Brian Krebs, a known IT security expert, was hit by a massive 600+ Gbps DDoS attack. The site’s hosting provider, Akamai, initially attempted to absorb the attack. Unfortunately, in the process of doing so, some of their infrastructure’s functionality had to suffer, which in turn affected other customers.

So, does that mean you should forget about cloud migration altogether if you don’t want to risk going offline due to a DDoS attack? Absolutely not! There are many ways to mitigate this particular threat. Here are just a few:

1. Entrust your servers with CSPs who have clear DDoS mitigation strategies

   

   Because your servers are hosted on a third party’s infrastructure, a large part of your DDoS mitigation capability will depend on the corresponding capability of your CSP. Make sure your CSP is quick to adopt DDoS solutions and strategies to counter DDoS attacks. Your CSP’s ability and resolve to quickly respond to threats is always a good sign that you’re dealing with the right provider.

   You must remember, though, that every aspect of cloud security, including DDoS mitigation, is a shared responsibility between you and your CSP. In addition to building a robust infrastructure and thwarting attacks on that infrastructure, your CSP will provide a host of IT security features to withstand other forms of DDoS attacks, e.g. Application Layer (a.k.a. Layer 7) DDoS attacks that target certain weaknesses in an application.

   However, it will be your responsibility to take advantage of/enable those features. You must bear in mind, however, that some of these features can be pretty expensive. For example, some large CSPs offer auto-scaling, which enables your underlying resources to automatically scale to accommodate surges in traffic. While auto-scaling is very suitable for DDoS attacks, expect your bill to shoot up if such an attack happens and you have auto-scaling enabled.

2. Reduce your attack surface

   

   Attack surface reduction, or hardening, is one of the most basic things you can do to reduce the risk of a DDoS attack. You can start by disabling protocols and closing ports you don’t need. Next, you can limit access to certain resources, applications, and virtual machine instances from the Internet. For AWS instances, for example, you can use Security Groups or Network Access Control Lists to achieve this. In other CSPs, you can set up a firewall or NAT gateway and apply rules or limit open ports through those.

3. Apply load balancing

   

   A single server can easily become overloaded from a surge of legitimate traffic, let alone a DDoS attack. To improve your site’s ability to withstand a surge of traffic (legitimate or not), you can employ some form of load balancing. Load balancing enables you to distribute inbound traffic across a cluster of redundant servers, i.e., all providing the same service. This will make your site less susceptible to overloads.

   Some CSPs will enable you to load balance multiple instances distributed across multiple data centres, with some data centres even located in different regions across the globe.

4. Deploying a Web Application Firewall (WAF)

   

   Generally speaking, there are two types of DDoS attacks:

   1. Infrastructure layer attacks such as UDP reflection attacks and SYN floods, and
   2. Application layer attacks such as HTTP floods and Wordpress pingback floods

   For the second type of DDoS attack, you can deploy a web application firewall or WAF. A WAF is typically deployed between your web application and the Internet. It can serve as a configurable shield against DDoS attacks. When configured properly, a WAF can effectively monitor and filter HTTP traffic, allowing only good traffic to pass through.

   Traffic is filtered through a set of rules. Because these rules or policies are highly configurable, they can be easily adapted to address different web-based attack vectors.

How about third party DDoS mitigation services?

You’ve likely heard of third-party DDoS mitigation services like Prolexic and Cloudflare, so let’s touch on those before we end. These services basically enable you to re-route traffic to their own cloud infrastructure (after being directed to your cloud-based instances), scrub any suspicious packets, and forward the good ones to your cloud.

While these cloud-based cyber security solutions work, they can introduce some degree latency, which can adversely impact the responsiveness of your site. They also act as a single-point-of-failure. If they suffer an outage (like in 2016, when a Cloudflare outage affected several sites in Europe) your site could likewise go down.

DDoS attacks are serious threats that can disrupt the availability of your business services. It’s therefore important that you incorporate DDoS mitigation into your overall IT security program. If you don’t know where or how to begin, feel free to contact us. We‘re happy to answer your questions.