With cloud computing’s paradigm of shared infrastructure, DDoS attacks on a specific target can quickly affect many or all tenants.
Nick Race, Arbor Networks New Zealand country manager for Arbor Networks explains why availability should be the top priority, and how resellers can help customers prevent and mitigate these attacks.
The growing popularity of the cloud computing model has been accompanied by a great deal of discussion, and some concrete action, regarding security concerns related to the use of computing, storage, networking and services infrastructure which, by definition, is shared among multiple end customers.
While the classic siloed, single-tenant server model quite often involves the use of shared networking and ancillary services infrastructure, such as DNS, bringing together the application logic and proprietary data of multiple organisations on the same computing/networking/storage substrate has highlighted these concerns, and brought them to the forefront for many IT professionals and executives worldwide.
Distributed denial of service (DDoS) attacks are launched with the intent of negatively impacting the availability of the targeted applications, data or services.
While DDoS attacks launched against classic siloed systems often cause collateral damage due to their impact on shared resources—such as network infrastructure, DNS, etc—the inherent and explicit multi-tenancy of cloud computing environments means that an attack against one tenant/customer is an attack against all end customers making use of the same shared infrastructure.
Best practices Ensuring availability in the face of DDoS attacks can be challenging.
Fortunately, there is a large body of best current practices for maintaining availability which have been developed by the internet operational community and successfully deployed by many service providers and data centre operators with a good track record of maintaining availability.
There is a real opportunity for resellers to become managed security service providers and take on some of these operational aspects of cloud services through their security skills and security operations centre.
By properly assessing the risk to availability posed by the cloud computing model, resellers can work with operators and end users of cloud services to minimise their risks and maximise the security postures.
Resellers should advise and assist their customers to implement the following as part of their organic cloud computing architectures and/or ensure their cloud providers have done so:
• Maintain up-to-date communications plans, including contacts for peers and upstream providers so established operational security teams can react quickly and effectively to DDoS attacks.
• Participate in online mitigation communities to increase the effectiveness of coordinated responses to attacks.
• Implement strong, scalable architectures that minimise state- and capacity-bound chokepoints, which can otherwise be exploited by attackers, leading to DDoS attacks that cripple public-facing properties.
• Implement real-time detection, classification and trace back capabilities to identify DDoS attacks, understand what is happening and take appropriate defensive measures.
Flow telemetry such as Cisco NetFlow, Juniper cflowd and sFlow should be enabled at all network edges, and exported into a collection/analysis system such as Arbor Peakflow SP.
• Deploy a source-based remotely triggered blackholing (S/RTBH) capability which leverages existing network infrastructure in defending against simple packet-flooding attacks from a relatively small number of sources.
S/RTBH leverages BGP as a control-plane mechanism to instantaneously signal edge devices to start dropping attack traffic at the edges of the network, based on the purported source IP addresses of the attack-related packets.
• Avoid deploying firewalls and IDS/IPS in front of internet-facing servers. Even the largest devices are DDoS chokepoints; they degrade the operational security posture of the network and applications by making them more vulnerable to DDoS than the servers alone otherwise would be.
Instead, policy should be enforced by stateless ACLs in hardware-based routers and switches, which are capable of handling millions of packets per second.
• Deploy intelligent DDoS mitigation systems in topologically appropriate cleaning centres to block attacking traffic on a more granular level, including sophisticated application-layer attacks and spoofed attacks.
• Employ infrastructure ACLs (iACLs at the relevant network edges—peering/transit, customer aggregation edge, etc) to protect the network infrastructure itself.
For traffic that is destined for Internet-facing servers, use additional service-specific sections to restrict the traffic to ports and protocols associated with the services and applications on those servers.
• Filter irrelevant internet protocols at network edges via ACLs. There are 254 valid internet protocols.
Packet-flooding attacks based on protocol 0, ESP, GRE and other relatively uncommon protocols can be used by attackers to bypass ACLs that only contain policy statements relating to common protocols such as TCP, UDP and ICMP.
• Deploy additional network infrastructure best practices such as control-and management-plane self-protection mechanisms (rACL, CoPP, GTSM, MD5 keying...).
• Make network infrastructure devices accessible only via designated management hosts. During attacks, a dedicated, out-of-band (OOB) management network allows devices to be managed irrespective of conditions on the production network and ensures continuing visibility into attack traffic.
• Configure public-facing servers in a hardened manner, with unnecessary services disabled, service-specific configuration hardening, IP stack tuning and other relevant mechanisms.
• For Web servers, Apache modules such as mod_security and mod_evasive provide additional defensive capabilities.
Maintaining availability in the face of DDoS attacks can be challenging, but as the above list of best common practices demonstrates, it is neither impossible nor out of the reach of organisations of any size.
For more on cloud, check out the June edition of The Channel.