Hot Topics
Cloud Security Cybersecurity Incident Response Security Boulevard (Original) Threat Intelligence 

Battle in the Cloud: Preventing DDoS Attacks

Avatar photo by Soundarya Jayaraman on September 6, 2022

Distributed denial-of-service (DDoS) attacks pose significant security risks for businesses. One minute, your user is happily browsing your site; the next, your site is flooded with a tsunami of traffic, sending you back to the stone age. Imagine thousands of customers coming to your brick-and-mortar store at the same time. Your shop, which can accommodate a hundred shoppers at a time, is suddenly overcrowded. Your staff is overwhelmed, and they can’t serve legitimate customers. DDoS is the digital equivalent of hundreds and thousands of fake customers gatecrashing your shop and wrecking your service.

A government site hit with a DDoS attack may not be able to process tax returns. An online shopping site could be blocked from sales or a social media site might display content incorrectly. Sadly, DDoS attacks are becoming more frequent, more complex and more difficult to mitigate as businesses increasingly go digital and migrate to the cloud.

DDoS Attacks by the Numbers

In 2021 alone, cybercriminals launched 9.75 million DDoS attacks. The number of DDoS attacks in the first quarter of 2022 rose by nearly 75%.

In June, Cloudflare fended off a record-breaking DDoS attack from a cloud server that generated 26 million requests per second. Last November, Microsoft experienced the largest DDoS attack in its history, receiving 340 million packets per second. Amazon’s cloud service was hit by a severe DDoS attack in 2019 that knocked several digital services offline for almost eight hours.

Cloud service providers are becoming a more tempting target because a single such attack could impact many customers. Be it Wikipedia, Amazon, Telegram, BBC, GitHub or an electrical grid in Utah, organizations that leverage the cloud across all industries and sectors have faced DDoS attacks. Research estimated that DDoS attacks will rise by an 18% compound annual growth rate (CAGR) through 2023. The size of DDoS attacks doubles every two years.

The DDoS landscape constantly evolves and relentlessly innovates, just like a legitimate business. Be it application layer attacks, protocol attacks or volumetric attacks, attackers are getting more sophisticated. Today, cybercriminals employ multiple vectors: Using a combination of attack vectors to cut through defenses to achieve their goals. They increasingly use DDoS-for-hire services (Booters) for as low as $300 and use them to extract ransom from victims.

As the size, volume, intensity and number of DDoS attacks are growing exponentially, so are their consequences.

DDoS Attacks: The Cost

Enterprise businesses, on average, lose $2 million per DDoS attack. For every minute of downtime caused by a DDoS attack, firms lose $22,000. This figure may vary depending on the organization’s size, the attack’s severity and the assets affected. Apart from money lost, companies’ reputations also suffer because of poor customer service due to outages.

The stakes are getting higher for businesses. As firms move to the cloud, learning how to fend off DDoS attacks is essential. To start, you must understand what a modern DDoS attack on the cloud looks like.

Understanding Modern DDoS Attacks in the Cloud

Firms move to cloud computing from traditional data centers for five major features: On-demand service, pay-as-you-go model, resource sharing, ubiquitous network access and auto-scaling. But those same features make DDoS attacks on the cloud much more lethal. As a result, cloud infrastructure, cloud service providers and cloud customers are all susceptible to DDoS attacks.

When a cloud user or a particular cloud infrastructure provider comes under a DDoS attack, be it SYN flooding or Ping by Death, the cloud service provider auto-scales the computing power and network bandwidth to deal with the flood of incoming requests. Since cloud providers use dynamic pricing based on usage, the situation often results in the company paying extra bucks for autoscaling, additional resources and energy consumption.

Moreover, since the cloud infrastructure works in a multitenant environment, damage posed to any shared resources can leave the whole system open to attack. Sometimes, the service provider may exhaust all resources trying to mitigate an attack, resulting in service denial for all customers sharing the cloud resources.

With most enterprises choosing hybrid cloud solutions, the time to close gaps in the cloud due to infrastructure complexity is now.

Architecting Cloud Defense Against DDoS Attacks

Of all threats organizations face, DDoS attacks have the highest probability of making resources unavailable. So the defense mechanisms against them must be robust enough to match the sophistication of the attacks. To have a solid defense, a company must combine preventive measures, detection and mitigation mechanisms.

Taxonomy of Cloud DDoS Defense

Prevention is all about proactively protecting the cloud and its services before an attack ever happens. DDoS prevention and protection usually involves various methods of monitoring and managing network traffic. The most common and visible technique is using a CAPTCHA to prove the user is human and not a bot. You can also use bot detection software to recognize malicious bot activity.

Other techniques include filtering users based on IP addresses to avoid spoofs and validating source addresses against a historical IP address database. Sometimes, response or service to requests is delayed or restricted to determine if defense mechanisms need to be initiated. Like software-as-a-service (SaaS), multiple commercial vendors offer DDoS protection services to avoid any downtime due to attacks. Such tools scan for vulnerabilities in the system and deploy preventive and defensive measures.

Detection: Caught in the Act

Detecting a DDoS attack mainly involves separating malicious traffic from legitimate. One way to do this is to detect an anomaly in traffic patterns or resource usage compared to average performance. Any sudden spike in traffic or resource used by a machine is flagged as a warning of an impending attack. Companies can leverage a web application firewall (WAF) for automatic traffic monitoring and deployment of defense mechanisms in the face of a DDoS threat.

Another way of detecting an attack involves mapping out signatures of all known attacks in a database and using it to recognize attack signatures on incoming packets. However, this technique requires time and effort to build the database. Also, the system cannot identify zero-day attacks because there isn’t a recognizable signature in its database. Companies usually use a combination of anomaly detection and signature detection techniques to catch DDoS attacks as they happen.

Mitigation: Damage Control

Mitigating DDoS attacks involves taking steps to reduce the attack’s impact and updating the prevention methods to thwart future attacks. Here are some ways to mitigate an attack:

Autoscaling
Autoscaling resources is the most common and best response to a DDoS attack on a cloud system. The system remains online despite the attack, but the method burdens users with additional costs for extra resources.

Black-Holing and Rate Limiting
Sometimes, when the attack on a cloud user or infrastructure is large enough to affect other services sharing the resource, the service provider may black-hole all traffic directed to that affected server. Black-holing prevents outages on a large scale.

Firms can use an IP-based access control list (ACL) to block incoming attack traffic from malicious botnets for small-scale attacks. You can also limit the traffic to a level the hosting server can handle when traffic reaches a certain threshold. This is called rate limiting.

Firewalls
A way to make DDoS attacks ineffective and minimize their impact is to use software- and hardware-based firewalls. Firms can enhance security with intrusion prevention and detection systems that detect anomalies or cyberattacks.

Traffic Diffusion
Another way to mitigate a DDoS attack is to scatter the incoming traffic across a network of distributed servers. This reduces the impact of the attack to a manageable level.

Server Migration
Server migration moves or “migrates” the entire running server under attack to another physical server without downtime. The new server is isolated and shielded from the DDoS attack. Once the attack is completely stopped, the server is shifted to the old central server.

Cloud DDoS Mitigation Service
Similar to DDoS protection software, several third-party commercial vendors and cloud service providers now offer cloud-based DDoS mitigation as a service. They use a combination of prevention, detection and mitigation techniques to protect services deployed both in the cloud and on-premises.

They typically leverage standard DDoS mitigation techniques as their first line of defense and then take the incoming flood to a cloud scrubbing center as a second line of defense.

Moreover, these services are purchased on a pay-as-you-go subscription model with thresholds on scaling resources. So while firms can quickly scale up or down, they do away with the extra cost associated with autoscaling.

No Age for Outage

No business can afford downtime due to DDoS in this digital age. It causes extra human effort, revenue loss and a hit to reputation. Mitigating DDoS attacks may seem daunting, given their volume, size and numbers. But simple steps can protect your business from such damage. Don’t wait to implement your cloud DDoS prevention and mitigation strategies. Keep your business up in the cloud(s).

Soundarya Jayaraman , , ,
Avatar photo

Soundarya Jayaraman

Soundarya Jayaraman is the content community writer at G2, the largest software marketplace. A tech enthusiast with a keen interest in AI and cybersecurity, she loves to learn and write about how these tech can help businesses.

soundarya-jayaraman has 1 posts and counting.See all posts by soundarya-jayaraman