Denial-of-Service Attacks Meet the Cloud: 4 Lessons
In the age of virtualization and cloud, old world denial-of-service attacks have become more targeted, causing new worries. Here are 4 realities to keep in mind.
Mon, November 01, 2010
CIO — An old standby of cyber criminals—the denial-of-service attack—has become a new worry for data center operators.
As companies increasingly use virtualized data centers and cloud services, new weaknesses have opened up in enterprise infrastructure. At the same time, denial-of-service attacks are moving from brute-force floods of data to more skillful attacks on application infrastructure.
The combination is increasingly threatening for the companies that are placing critical business data outside their facilities, leaving their business reliant on continuing communications. In addition, with multi-tenant services becoming more common, attacks aimed at one company could dramatically impact the services of an unrelated, but co-located, firm.
"Enterprises continue to cite security and availability as the top barrier to adoption of cloud computing," Rob Ayoub, Global Program Director for Information Security research at Frost & Sullivan said in a statement. "Given these concerns, hosting and other data center operators today must have the ability to mitigate attacks without interrupting customer facing services."
The most obvious attacks continue to be floods of data that hammer a victim's network, overwhelming the company's connection to its upstream provider. The growth in brute-force denial-of-service attacks, which can be seen in the increase in domain name lookups, is so great that Internet infrastructure company VeriSign (VRSN) remarked on the trend in its recent Domain Name Industry Brief.
Distributed denial-of-service attacks "probably make up a few percent of our traffic," says Ken Silva, chief technology officer of VeriSign. "It is a minor pollution problem for us, but it's a big pollution problem for the victim."
The best solution is to hunt down the attackers, an admittedly difficult proposition in the world of botnets and anonymous proxies. Yet, there are other ways, say experts. Here are four lessons for the new-old world of DDoS attacks.
1. DDoS attacks are easy
In the past, the computers used in distributed denial-of-service attacks were generally compromised by a single worm. When the worm was cleaned from enough systems, the attacker's ability to continue swamping a network ended.
Yet, with the rise of persistent botnets and the leasing of those botnets to attackers, criminals can flood a victim's network at will. Moreover, overwhelming a single network connection has become easier, especially with the dramatic increase in DDoS attack bandwidth, says Paul Sop, chief technology officer of network protection service Prolexic.
"People don't understand how easy it is for attackers to ramp up the bandwidth to knock you out," says Sop.
In 2005, the traffic seen by victims during an attack peaked at 3.5 Gbps. In 2006, that jumped to more than 10 Gbps, limited in many cases by the capabilities of Internet backbone links. In 2009, Arbor Networks detected more than 2,700 attacks in excess of 10 Gbps.