Cloud migration is a hot topic and has been for about five years now. Everyone is familiar with the broad adoption of cloud services by the business of all shapes and sizes. The types of cloud service used to support migrated applications and data vary, as do the scale of the service providers – from large public/hybrid cloud providers to smaller, more specialised managed application service providers – but what they generally have in common is both a reliance on Internet connectivity for access and multi-tenant infrastructure.
Unfortunately, DDoS (Distributed Denial of Service) attacks are an increasing problem for cloud and hosting providers due to their rapid growth in scale and frequency. An individual attack may only target one application within an environment, but if the attack is large enough to saturate Internet connectivity then everything that shares the same Internet ‘pipe’ can be affected. This was highlighted by Arbor Networks’ Worldwide Infrastructure Security Report, which reported that:
- 61% of data centre/cloud operators saw attacks in 2016 that completely saturated data centre bandwidth
- 21% of data centre/cloud operators experienced more than 50 DDoS attacks per month
As a result of the above, there is a growing pressure on cloud providers, and those procuring their services, to ensure the right availability protection is in place.
How do we defend availability?
There are two main ways in which a cloud service, or the customer of a cloud service, can be protected from the DDoS threat:
- The end-customer can procure virtualised DDoS protection infrastructure from their vendor of choice and pair this with a DDoS protection service from a specialised Managed Security Service Provider. This is the same model many enterprises have been using to protect data and applications resident in their own datacenters for years, simply transposed to the cloud. This has the advantage, from the end-customer perspective, of familiarity with the same solution being used for both cloud and non-cloud services.
- The alternative is for the end-customer to procure (or be provided with, as a part of the core service offering) DDoS protection from their cloud operator. Many ISPs deployed DDoS detection and mitigation infrastructure to protect their own businesses and then looked to derive revenue from this capability by offering managed services to connected customers. Cloud service providers are increasingly doing the same – they need to protect themselves, so why not leverage the equipment and expertise they have put in place to provide sticky, high-value add-on security services to their customers.
Both of the above can provide protection, and which preferably will be dependent on the needs of the end-customer versus the capabilities of their cloud service provider. For the cloud operator, though the latter is obviously preferred, more and more operators are looking to explicitly provide DDoS protection services.
However, this isn’t (generally) something they can do on their own; today’s volumetric DDoS attacks will cause problems for all but the largest cloud operators – as an attack can reach over 500Gbps – and thus most cloud operators will need an upstream DDoS protection service to deal with high-magnitude attacks when they occur. The providers of these services are, in some cases, the vendors of equipment that can be used within the cloud environment to provide local protection and in these cases integrated, or in some cases fully managed, services can be put into place.
One thing is certain cloud operators and the users of their services need appropriate DDoS protections to protect the availability of their services. Arbor’s WISR showed a significant jump in the proportion of data centre/cloud operators seeing revenue loss during 2016 due to DDoS attack, but this needn’t happen. Appropriate defensive technologies and processes exist and can be deployed and can even drive new revenue streams for cloud operators.