A Denial of Service (DOS) or its now more popular unruly child the DDoS attack is not a new phenomenon and has plagued information technology (IT) managers for many years.
It refers to an attack that aims to overwhelm the victim with network traffic or consume resources (central processing unit, memory, for example) and subsequently prevent the processing of legitimate requests.
The various types of DOS can be broadly defined into two categories
These particular attacks reside within layers 3 and 4 of the Open Systems Interconnection model (OSI) stack, but in effect intend to submit large volumes of traffic intended to overwhelm the target, and prevent its ability to respond to legitimate requests.
It is now considerably easier to initiate such attacks.
In the McAfee report entitled “Cybercrime exposed,” DOS (or DDoS) services are accessible to anybody with access to a search engine, and can be purchased for as little as $2 per hour.
Subsequently, the probability of such attacks occurring is increasing and this is reflected in the report published by Prolexic in their “Quarterly Global DDoS Attack Report Q3 2013” compared to Q3 2012 the total number of attacks increased by 58%, with infrastructure-based attacks increasing by 48%.
Unlike the use of traditional infrastructure-based DDoS attacks, the emerging trend has been for the use of layer 7 attacks (OSI stack).
What this actually means is that rather than using network traffic to overwhelm the target, it would use traffic that appears legitimate.
According to Prolexic, these particular attacks represent around 20% of DDoS attacks, but still a 101% increase on the preceding year.
When considering a DOS attack as it pertains to cloud computing, there are two main considerations:
- The threat of DOS attacks against provisioned cloud services
- How cloud computing (and predominantly dedicated Software as a Service (SaaS) services) can be used to reduce the risk of DOS attacks.
We will focus on the first scenario
Denial of Service against the Cloud
The migration to a cloud computing platform should provide greater protection against such attacks than traditional internally hosted services.
This at least is the view taken by the ENISA, their publication entitled “Critical Cloud Computing” takes the view that “Elasticity is a key benefit of cloud computing and this elasticity helps to cope with the load and mitigates the risk of overload or DDoS attacks.
It is difficult to mitigate the impact of peak usage or a DDoS attack with limited computing resources.
This perspective is of course entirely valid, whereby a typical network-based DOS (or DDoS)-based attack should indeed be better mitigated leveraging a service with redundancy in its resources.
Equally, with the probability for a DDoS attack against a CSP likely to increase, the provider will be expected to invest more in providing controls to mitigate the threat.
Cloud provider Rackspace, for example, provides specific DDoS mitigation services to customers that can be added as a subscription service, or on-demand. Regardless of the pricing model, the service intends to undertake assessment against incoming traffic, and in the event, malicious traffic is detected transfer to a “sanitation engine” to filter the traffic and forward legitimate traffic to its intended destination.
This is one example; other CSPs also offer such mitigation services but the challenge for any potential customer is the effectiveness of the documented solution.
In other words, the true test of any paid (or even one that is included and marketed by a provider) solution to mitigate DDoS attacks is during an attack.
According to Jesper Nøhr, who runs BitBucket; “We were attacked. Bigtime.
We had a massive flood of UDP packets coming into our IP, basically eating away all bandwidth to the box…So, basically a massive-scale DDoS.
That’s nice.” Please note, that as a result of the attack “Peter DeSantis, vice president of Amazon Elastic Compute Cloud (EC2), said that they were definitely taking this lesson about the tardy detection of Bitbucket.org’s problem to heart.
He said, from Amazon’s perspective, the black eye from that smarted, and the company would be changing its customer service playbook and network policies to prevent a reoccurrence.”
This encounter can lead the reader to think that the advice from ENISA is not entirely accurate, and this would not be fair.
The likelihood is that if BitBucket were using internally provisioned services, and not Amazon, then perhaps their service may have been unavailable for longer, and their ability to withstand traffic not as resilient.
Therefore, the ability of the provider (of course this depends on the provider) to withstand a DDoS attack should be more than that of an internally provisioned service.
This is an entirely case-dependent statement. However, one risk that cloud end customers should certainly consider is the noisy neighbor concept.
This particular point goes against the universally believed concept that the cloud reduces the threat of a DDoS, whereby the use of a cloud-provisioned service means that the customer is sharing resources with other customers.
This scenario was documented by Rich Bolstridge of Akamai Technologies, who provided three cases in which the shared services approach negatively impacted cloud customers:
DDoS attack Case 1
DDoS attack against Brazilian bank subsidiary attack targeting the home page of a Brazilian bank’s Brazilian site.
However, as the Brazilian Web site utilized a shared network infrastructure, the US banking site was also negatively impacted.
Somewhat ironically, the bank had invested in DDoS mitigation for the US Web site but failed to recognize the threat of the shared network infrastructure.
DDoS attack Case 2
DDoS attack against a Luxembourg customer of a US exchange had a market data service used by a customer in Luxembourg to serve its clients.
The application, however, came under attack, causing it to be unavailable.
The service, however, was also used by the exchange’s main applications for desktop clients in the United States, which ultimately failed.
DDoS attack Case 3
DDoS attack against US subsidiary of European bank DDoS attack against the domain name servers of a large regional bank in the United States resulted in the Web site for the bank across three continents also being impacted.
Therefore, to summarize, the threat of a DOS attack can impact not only internally provisioned services but also that of CSPs.
While the general view is that the cloud computing provider should provide a greater ability to withstand such attacks, the probability of a DDoS attack will increase when using shared resources with multiple customers.
To summarize, the risk will be reduced if the cloud provider has implemented the appropriate controls to withstand such an attack, but the number of attempts (some that may be successful) will increase.