Layer up to keep out stronger DDoS winds

Jeremy Nicholls promotes an on-premise approach to cloud security threats

Now, more than ever, distributed denial of service attacks (DDoS) are a very real threat to all organisations. DDoS attacks can be political, sabotage-oriented, or about extortion. Any enterprise operating online can fall victim because of what it is, what it sells, who its partners are, or for its affiliations.

It is particularly concerning that enterprises are under the impression that they are actually protected by their existing firewalls and IPS. Of course, they do not protect against loss of service availability.

Because they maintain state information for every session between a client on the internet and the corresponding server in the datacentre, IPS devices and firewalls are also themselves vulnerable to DDoS attacks.

Typical users of datacentre and cloud services expect services on demand. When business-critical services are not available, enterprises and datacentre operators can lose millions of pounds and damage customer and partner relationships. Service availability worries can also pose a barrier to cloud adoption.

Criminals see high-profile applications in shared cloud datacentres as an attractive target.

Attackers have also now turned to sophisticated, long-lived, multi-vector attacks – the most difficult to defend against, requiring layered defences. Some recent attacks on financial institutions are good examples of multi-vector attacks.

Hackers surely love cloud infrastructure because a small number of service providers may be responsible for delivering, distributing and hosting. If they attack one of the providers or anyone operating on shared infrastructure, any number of users on that shared infrastructure could be affected.

When one domain is attacked, hundreds of thousands of domains can go offline or lose connectivity. The damage is not limited to a partitioned area, making for a kind of ripple effect.

So getting visibility of DDoS botnets is an absolute necessity, especially when botnets are changing constantly, to thwart detection. On-premises availability protection systems offer layered defence, including upstream ISPs and firewalls to combat volumetric and application-layer DDoS.

An on-premise DDoS device can block advanced attacks using packet-based threat detection and various other counter-measures. This can stop application-layer DDoS attacks in the cloud. The on-premise DDoS device also needs to provide visibility into critical IP services and applications running in the datacentre, such as HTTP, DNS, VoIP/SIP and SMTP traffic,

With this visibility, a datacentre might be protected from numerous types of attack, such as TCP state exhaustion, HTTP or web-based attacks, DNS flooding or authentication attacks, spoofing, or UDP flooding.

It also cannot have any lag time between detection and protection, for all botnet threats. But it also should not be a burden to use or too expensive, or require too much expertise.

Jeremy Nicholls is European channel director at Arbor Networks