The application-layer DDoS threat actually amplifies the risk to data center operators. That’s because IPS devices and firewalls become more vulnerable to the increased state demands of this emerging attack vector – making the devices themselves more susceptible to the attacks. Moreover, there is a distinct gap in the ability of existing edge-based solutions to leverage the cloud’s growing DDoS mitigation capacity, the service provider’s DDoS infrastructure or the dedicated DDoS mitigation capacity deployed upstream of the victim’s infrastructure.
Current solutions do not take advantage of the distributed computing power available in the network and cannot coordinate upstream resources to deflect an attack before saturating the last mile. No existing solution enables both DDoS mitigation at the edge and in the cloud.
Check out the really good piece from infosecurity-magazine.com about modern DDoS attacks by Rakesh Shah, head of Product Marketing at Arbor Networks, published with the Cloud Security Alliance. It’s worth a read.
I’ve been a fan of Arbor since they were founded – the original founders met with me when I was at Exodus Communications to see if we would fund them. At the time, I was skeptical they’d be able to get enough data out of the network to do what they planned. Well, I was wrong. My how times have changed.
Two big points jump out of Rakesh’s piece. The first is that old-school DDoS techniques like going after web servers and DNS servers are…old. They still work, but providers are getting better at blocking them.
At Speedera Networks, before Akamai acquired us, we were only taken down by a DDoS only one time, by an attack on our DNS servers. We sadly told the customer under attack that we couldn’t host their traffic. The customer went to Akamai, who was taken down by the same attack the next day, one of the only successful DDoS attacks against a company with a very good track record of uptime because of their distributed architecture.You don’t hear stories on this scale today.
HTTP-based DDoS attacks aren’t gone, but we are getting better at handling them. It’s all about application level DDoS now, which can suck cloud computing cycles by loading back-end servers, causing victims to choose between paying for cloud capacity that isn’t adding value, or allowing their applications to fail.
Usage based pricing isn’t always pretty when the usage is a DDoS attack!
The second interesting point Rakesh makes is that DDoS mitigation solutions don’t take advantage of distributed computing power in the network. That places the ultimate solution to DDoS attacks square in the ambient cloud. Application level DDoS attacks would fail if they were countered by the power of the massive computing power tied to networks.
After all, the botnets that carry out DDoS attacks are themselves ambient clouds, some of which have aggregate computing capacity that dwarfs what Google and other cloud providers have in their centralized data centers.
Fighting the power of an ambient-cloud-powered DDoS attack using an ambient cloud is not only smart, it’s elegant. I’m looking forward to seeing a working implementation.