Protecting Cloud Applications Against DDoS: 5 Facts and Tips

07.07.15

Dan Ennis CEO

shutterstock_127138172

While cloud infrastructure is inherently scalable and resilient, applications deployed in the cloud are frequently hit by DDoS attacks. We find that customers are often unaware of the unique risks, advantages, and protection methods associated with protecting cloud applications against DDoS. Here we provide the top-5 facts you should be aware of when planning DDoS protection for your cloud apps.

1. CLOUD COSTS SPIKE DURING DDoS: LEARN FROM THE GITHUB CASE STUDY:

GreatFire.org, a Chinese activist group hosted on Github servers on AWS, went under a DDoS attack in March 2015. In their post: “we are under attack” they desperately asked for help:

“…our bandwidth costs have shot up to USD $30,000 per day. Amazon, which is the service we are using, has not yet confirmed whether they will forgo this. If they do not forgo this, this will put a significant squeeze on our operations.”

Cloud auto-scaling is a great feature when your business grows, in which case your infrastructure grows with it. If you plan on leveraging auto-scaling during DDoS with the goal of containing the attack, expect a spike in your cloud services bill and plan for it. Bear in mind that DDoS attackers have the control over the bandwidth and duration of the attack, and therefore control your cloud budget. In essence, you are their hostage.

 

2. NETWORK-LAYER DDoS vs. APPLICATION-LAYER DDoS ARE COMPLETELY DIFFERENT THREATS

Distinguish between layer 3-4 attacks and the growingly common layer-7 attacks, as the main risk to cloud-based applications is layer-7 DDoS. The attack patterns are substantially different and so are the means of mitigation.

Network layer DDoS (OSI Layers 3, 4): these attacks use high bandwidth to saturate network components and bring them down. A common network layer attack is a SYN Flood attack which saturates the available web server connections.

Application Layer DDoS (OSI Layer 7): According to Akamai’s Q1 Internet Security Report, application-layer DDoS comprised 9.3% of DDoS attacks. According to Arbor Networks’ Worldwide Infrastructure Security Report, 29% of attacks were reported to target the application layer.

Layer-7 DDoS attacks target components that require heavy processing power, and go after business-critical components of the application. Common application-level DDoS attacks target the login module (brute force attacks) or go after the shopping cart. A typical shopping cart DDoS scenario is Shopping Cart Abandonment. A bot creates a shopping cart, adds products, proceeds in the check out process and eventually aborts.

Application Layer DDoS attacks typically require less bandwidth compared to network-level volumetric attacks and therefore may only be noticed when system CPU or memory resources are suddenly saturated. Conventional security solutions identify layer-7 DDoS as legitimate traffic, and the attack can go completely under their radar. Layer-7 DDoS requires less efforts to execute and is becoming more popular with today’s attackers. In fact, application-layer DDoS remains the only practical way for an attacker to bring down cloud applications, as the network layer is very well protected by the CSP.

 

3. YOUR CLOUD-SERVICE PROVIDER DOES NOT PROTECT YOU AGAINST APPLICATION-LAYER DDoS

The leading Cloud Service Providers often invest in network resiliency against load and Denial of Service. They may provide auto-scaling, IPS, and anomaly detection solutions, which block malicious network-level attacks.  Some may even offer SLAs for network-related outages, but when it comes to the hosted application layer, CSP shared responsibility models define you as responsible for protecting the Application Layer. The CSP is unaware of your application’s functionality and from their perspective, a larger number of requests to the login module or to the shopping cart is legitimate activity. Therefore, Layer-7 DDoS attacks will quickly saturate your database and CPU resources.

 

4. PLAN YOUR ARCHITECTURE FOR AUTO-SCALING

Auto-scaling will launch new server instances during an attack. This is one of your key measures to protect against DDoS. Attackers confronting a resilient application would require additional resources to sustain the attack and will eventually proceed to an easier target.

However: auto scaling on its own does not guarantee that your service will keep functioning. You must design your architecture for auto-scaling.

For instance: a Layer-7 DDoS attack is likely to cripple your database, then saturate CPU resources. Unlike scaling a web server, auto scaling a database requires planning for data replication and maintaining the scheme during scaling. On the application level – if your app is not written to support redundancy, then auto-scaling will not reduce load on your application.

 

AWS-DDoS-Protection-In-The-Cloud

AWS recommended DDoS resilient architecture

From: AWS Best Practices for DDoS Resiliency, June, 2014

5. USE A LAYER-7 DDoS PROTECTION SOLUTION

Protecting the application-layer against DDoS attacks requires a dedicated, cloud-based, application-aware solution, as the defense measures are completely different as compared to conventional DDoS.

3 recommended features that should be on your checklist:

  • Application awareness – the solution should understand your application’s functionality to determine legal transactions. This is achieved by scanning the application and determining these legitimate transactions.
  • Attack surface reduction – your solution must remove significant parts of the application’s attack surface to reduce your risk. This is achieved by responding to user requests without involving back end systems transactions (DB, CMS, etc.) by means of cached or emulated responses. CDNs are often perceived as a mechanism for reducing the attack surface, however, they use simple caching mechanisms that are easily bypassed by attackers, who change the format of the request dynamically, thereby forcing the CDN to repeatedly fetch data from the original site.
  • False Positives Reduction – one of the major deficiencies of conventional DDoS mitigation solutions and WAFs, which are often used for layer-7 traffic inspection, are false positives; i.e. blocking legitimate users. Therefore, make sure to verify and test your solution for a minimal rate of false positives.

CONCLUSION

When protecting your cloud applications against DDoS, the risk is primarily in the application layer.

With a well-designed architecture, awareness to auto-scaling issues and a proper selection of Layer-7 protection tools your risk can be dramatically reduced. Read your cloud-provider’s guidelines, such as AWS Best Practices for DDoS Resiliency and, as always, feel free to contact me for comments and thoughts.

blog-post-logo