Defeating DDoS attacks in the Cloud: Why hosting providers need to take action

DDoS attacks have become such a significant threat that hosting providers need to actively protect against them or risk their own reputations.

(Image: © Image Credit: Andrea Danti / Shutterstock)

In the first few days of the New Year, hosting provider 123-reg was once again hit by a distributed denial of service (DDoS) attack, leaving customers unable to access their websites and email accounts. Even though the magnitude and strength of the attack weren’t as immense as the 30Gbps attack on the website in August last year, it still raises availability and security concerns and emphasises the importance of using effective DDoS mitigation systems. 

123-reg reacted with remediation procedures and was able to get services back up and running within a couple of hours, but not after customers experienced service outages and latency issues. Successful DDoS attacks hit more than just network infrastructure, brand reputation and bottom line suffer greatly. For many providers, just a handful of customers make up a significant portion of their revenue stream. Losing one or more of these key accounts would be detrimental to the business.   

With no shortage of DDoS attacks hitting the news headlines, many businesses that operate in the cloud or plan to move their business applications to the cloud, are beginning to review their DDoS protection options, and the capabilities of their providers. 

Hosting Providers and DDoS Threats   

The sheer size and scale of hosting provider network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack. As enterprises increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating cyber threats – even as an indirect target. 

The Domino Effect 

The multi-tenant nature of cloud-based data centres can be less than forgiving for unsuspecting tenants. For example, a DDoS attack that targets one organisation within the data centre can have disastrous repercussions for other tenants, causing a domino effect of latency issues, service degradation and potentially damaging and long-lasting service outages.   

The collateral damage associated with successful DDoS attacks can be exponential. When providers lack proper protection mechanisms to defeat attacks in real-time, the costs associated with the outages are wide ranging and the impact to downstream or co-located customers can be devastating. Therefore, if hosting providers are not protected and do not provide effective DDoS mitigation as a part of their service offering, they may inadvertently send useless and potentially harmful traffic across their customers’ networks. 

Traditional Defences Do Not Work   

Traditional techniques of defence such as black-hole routing are a crude response to DDoS attacks. Using this method, a hosting provider blocks all packets of website traffic destined for a domain by advertising a null route for the IP address under attack. The most notable issue with this approach, is when multiple tenants share a public IP address. In this situation, all customers associated with the address under attack will lose all service, regardless of whether they were a specific target of the attack. In effect, by using this method, the data centre operator is carrying out the wishes of the attacker, by taking their customers offline.    

Black-hole routing is not an approach that most operators prefer - since it completely took their customers offline. A more sophisticated approach was then introduced; instead of injecting a null route when an operator observed a large spike, they would inject a new route instead. 

That action redirected all good and bad traffic through an appliance or bank of appliances that inspected traffic and attempted to remove the attack traffic from the good traffic flows. This approach spawned the existence of DDoS scrubbing-centers with DDoS scrubbing-lanes commonly deployed today. 

However this approach still required a considerable amount of human intervention. A DDoS attack would have to be detected (again by analyzing NetFlow records) then an operator would have to determine the victim’s destination IP address(s). Once the victim was identified, a BGP route update would have to take place to inject a new route to “turn” the victim’s incoming traffic to where a scrubbing lane was deployed. The appliances in the scrubbing lane would attempt to remove the DDoS traffic from the good traffic and forward it to the downstream customer. 

Effective DDoS Defence 

The weaknesses of old methods - being slow to react, expensive to maintain and unable to keep up with shifting and progressive threats – tell us that solutions appropriate for today need to be always-on and remove the attack traffic in real-time, without damaging other customers, or dropping good user traffic. It’s clear they also need to be adaptable and scalable so that defences can be quickly and affordably updated to respond to the future face of DDoS threats – whatever those may be. 

The increasingly popular method of fulfilling these aims is through real-time DDoS mitigation tools installed directly at the peering point, meaning customer traffic can be protected as it travels across an organisation’s entire network. Such innovations mean providers are better positioned than ever before to offer effective protection to their customers, so that websites and applications can stay up and running, uninterrupted and unobstructed.    

Hosting providers are starting to deploy this technology as part of their service package to protect their customers. This maximises efficiency due to the fact that defences can be constantly on, with no need for human intervention. Providers can tune these systems so that customers only get good traffic, helping their sites run far more efficiently. It’s a win-win for both sides, as providers’ services become more streamlined and reliable, protecting their reputation, and attracting more customers in the process. Hosting providers have a golden opportunity to modernise their services in this way, and generate new channels for revenue – or else, they risk a slow shrinking of their customer base. 

Stephanie Weagle, Vice President, Corero Network Security 

Image Credit: Andrea Danti / Shutterstock

ABOUT THE AUTHOR

Stephanie Weagle has been instrumental in establishing Corero Network Security as a category creator for automatic, scalable DDoS protection that is architected to meet the needs of any Internet dependent organization, including, mid-tier hosting and service providers, on-line gaming entities, tier-1 carriers and large online enterprises.