Cloud-based solutions best defence against cyber “DDoS” attacks?
A recent paper on distributed denial of services (DDoS) attacks by Neustar concludes that only cloud-based DDoS solutions offer a comprehensive defence against increasing attacks that are expected to surge by as much as 40% in 2012.
“Cloud solutions provide the bandwidth (as measured in Gbps) to absorb today’s massive network layer attacks, plus the technology diversity and processing power to handle application-layer and high packets-per-second strikes,” said Neustar.
Neustar agrees that all on-premise hardware, even at best, has limits. At some point the sheer volume of traffic will clog network connections – before on-premise perimeter equipment even gets involved!
“Network-bandwidth attacks of 10Gbps or more were still 15% of all DDoS incidents Neustar mitigated. More than one out of 10 attacks came with hurricane strength, enough to overwhelm bandwidth and quickly cause an outage.”
Additionally, high packets-per-second (PPS) attacks grew in popularity.
“Instead of exhausting bandwidth, these drain processing power. To illustrate, DDoS attacks using UDP packets tend to be smaller in size (DNS UDP packets, for instance, are typically limited to 512 bytes). While such attacks take up modest bandwidth, the sheer number of packets can crash your CPU as it attempts to process the blitzkrieg of requests.”
Even encrypted traffic is being targeted by DDoS, although the number remains small at less than 5%.
While such attacks are harder to mount, they generally target the encrypted traffic’s port with GET flood or POST flood traffic, which is usually handled by rate limiting or null-routing.
“This process of opening, inspecting, and closing packets is complex, but neglecting it can leave your business vulnerable,” said Information Week.
In response, this has led security vendors to produce products such as on-demand DDoS mitigation services, which scrubs malicious traffic in the cloud, letting valid traffic, flow into the infrastructure stack. This may require a global mitigation network, featuring as many as 15 IP Anycasted scrubbing centers.
“Our takeaway: now more than ever, effective mitigation means diverse mitigation technologies, along with experienced staff who know how to deploy and tune them. In other words, you need to be ready for anything. In 2012 you’ll see another mix of subtly changing tactics and full-frontal assaults,” said Neustar.
The trends above reflect a growing awareness that off shoring resources to remote IaaS cloud hosting facilities may be the smartest move to make over the next year. The cost, complexity and resources required to protect on-premise datacentres is becoming less and less compelling for informed IT leaders as they attempt to do more with less.