Hardening Your Cloud Environment Against DDoS

A DDoS (Distributed Denial of Service) attack seeks to exhaust resources in a given infrastructure (nowadays, mostly cloud-based systems), to hinder the operation of its services and applications.

There are different types of DDoS attacks. In volumetric assaults, the target becomes overloaded due to the sudden increase in traffic volume, disrupting it and preventing legitimate users from accessing the service. Other types of DDoS can exhaust the target system’s resources using a low volume of traffic. Overall, with the rapid evolution of the threat landscape, different varieties of DDoS appear frequently, with different degrees of complexity.

During a DDoS attack, many machines are used simultaneously. By sending requests to a specific system from geographically dispersed clients, the attack is more effective and harder to block. The targeted organization can find it difficult to distinguish between attack machines and legitimate users.

These botnets can vary in size from hundreds to millions of machines, depending on the resources the attackers have at their disposal. Quite often, an attacker will leverage a large number of previously compromised client machines (e.g., consumers with “infected” PCs) or simply purchase access to an existing botnet on the black market.

While there are different varieties of DDoS attacks, the typical approach is quite simple: The attacker uses a remote tool to connect to a command-and-control server, from which he directs machines in the botnet to launch a massive attack on the targeted system, trying to render the system useless. An attack can last for minutes, hours, or in extreme cases, days. The attack machines often simulate typical client behavior, to make it more difficult for organizations to initially realize their malicious intent, and then to distinguish them from legitimate clients even after the nature of the attack has become clear.

So, how can you protect a cloud-based system against this type of attack? The top-tier public cloud providers all offer built-in DDoS mitigation products/services, but are they sufficient? In this article, we’ll explore these products, covering their benefits and shortfalls.

Built-in Solutions of the Top-Tier Public Cloud Providers

To counteract attacks against web applications, a Web Application Firewall (WAF) is commonly used. However, DDoS attacks are outside of the scope of a typical WAF, and so a separate DDoS mitigation product must be used.

Each of the Big 3 public cloud providers (AWS, Azure, and GCP) has a dedicated service that helps to mitigate DDoS attacks. We will discuss each below.

AWS Shield

AWS’ security products include AWS Shield. It comes in Standard and Advanced versions, both of which are designed to protect web apps against the most widely known DDoS attacks. All AWS customers automatically benefit from Shield Standard, which is included at no cost and inspects infrastructure-level traffic (OSI Layers 3 and 4); it is automatically built into services such as AWS CloudFront and Route 53.

AWS Shield is a ready-made and trusted solution with good documentation, but resource protection is not entirely automatic; customers should evaluate and decide what to protect and what rules should be created or enabled in advance. Additional premium protection rules can also be purchased separately via the AWS Marketplace or from third-party vendors.

The Advanced version—available for a fixed monthly fee of $3,000, plus outgoing data transfer fees—requires a commitment of one year. It brings additional features such as Elastic IP addresses and Elastic Load Balancing (ELB) integrations, availability in all CloudFront and Route 53 global edge locations, additional elastic capacity to protect against larger attacks, and, of course, more customizations.

There are significant capability differences between the two versions. While the Standard edition only works on OSI Layers 3 and 4, the Advanced version is capable of operating on Layer 7 (application), which means it can help mitigate more advanced attacks, such as the ones that try to mimic legitimate user traffic. In addition to enhanced protection, the Advanced edition also gives customers 24/7 access to an AWS DDoS Response Team who can apply manual mitigations for more complex and sophisticated attacks. However, this team is only available if you have an AWS Enterprise or Business support agreement (which costs extra per month).

Visibility also gets a huge boost for Shield Advanced customers, who are able to get near real-time notifications and view detailed diagnostics via their AWS Console. Plus, all historic information of the incidents for the past 13 months is automatically saved, stored, and available on-demand.

As a safeguard, if a customer incurs scaling charges that result from spikes during a DDoS attack, as part of their Advanced subscription, they can activate a DDoS cost-protection feature and get AWS credits in return.

Microsoft Azure DDoS Protection

Azure’s security products include Azure DDoS Protection, which has two different versions: Basic and Standard.

Enabled by default and at no extra cost, the Basic edition offers features such as automatic attack mitigation and active traffic monitoring, protecting against common network attacks and supporting both IPv4 and IPv6 public IP addresses.

The Standard version—available for a fixed monthly cost of $2,944, plus a small fee based on GB of processed data—is more advanced, providing metrics, alerts, mitigation reports, and policy customizations, as well as the ability to engage with Microsoft DDoS rapid response experts. In terms of protection, the Standard version is capable of mitigating different types of attacks: volumetric, flooding the network layer; protocol, exploiting weaknesses in Layers 3 and 4; and resource layer, acting on Layer 7 to disrupt the transmission of data between machines.

One significant difference between the two versions is that while the Basic edition is tuned for an entire Azure Region, the Standard version gives the ability to fine-tune for each individual application you have. Also, in terms of visibility, only the Standard version is capable of providing near real-time metrics (retained for 30 days) and resource logs (via Azure Monitor), combined with the ability to configure alerts based on both the start and end of an attack. This premium version is a robust solution that has the benefit of providing early notifications and more user-friendly options, but it is also worth noting that there is an additional monthly fee for each resource (e.g., public IP address, cloud instance, etc.) that go above the included 100-resource limit.

Google Cloud Armor Managed Protection

GCP security tools include Cloud Armor, which offers a Standard tier and Plus tier (in public preview). With both, customers receive volumetric protocol-based DDoS protection with access to Cloud Armor WAF, load balancers, and named IP lists. Cloud Armor protects against attacks from the application layer of the OSI model and is quite easy to manage; it also integrates well with other Google products and provides intuitive language rules to help you customize a defense strategy. While both tiers provide Layer 7 (application) protection, you should note that neither version is free.

Pricing for the Standard version is a pay-as-you-go model, where customers are charged monthly based on the number of rules ($1/each), policies ($5/each), and requests ($0.75/million queries). The Plus tier price starts at $3,000 per month, plus data processing fees, and requires a one-year commitment. Similar to the Microsoft Azure service, it includes the first 100 resources and requires customers to pay an extra fee per resource above that limit.

From the point of view of scalability, management, and integration, both tiers are quite identical. In terms of protection, Cloud Armor comes out of the box with predefined rules that are capable of mitigating the OWASP Top 10 risks and that enable organizations to apply restrictions on incoming traffic based on geographic location and IP addresses; plus, new rules can be created in preview mode that make it possible to learn and validate against live traffic before enabling them in production usage. One very interesting and overlooked feature is that Cloud Armor is also capable of defending on-premises applications and is not exclusively bound to Google networks, although its main focus is to mitigate attacks against Google Cloud Load Balancing workloads.

In terms of visibility, Cloud Armor gives you the possibility of analyzing suspicious traffic patterns and monitoring the metrics associated with the policies you choose in the Cloud monitoring dashboard. The two Cloud Armor versions are remarkably similar in terms of capabilities; the number of resources required and minor features you may want will dictate which one is the better pick for your organization’s specific needs.

Making the Most of Your DDoS Protection Investment

When comparing and analyzing the solutions from the Big 3, without direct experience and judging only by their marketing materials, it might seem that they could equally meet all of your expectations. Is it really so?

Having a free DDoS protection service available, such as the entry-level versions for AWS and Microsoft Azure, is a good way to get started in protecting your web applications and cloud workloads. Yet, the protection capabilities and features here are quite basic, mitigating only simpler attacks on Layers 3 and 4, and they are inadequate for protecting against more advanced attacks.

Therefore, the question becomes: should you go beyond the free and basic tier? As we saw above, when it comes to pricing, going from the free/pay-as-you-go baseline version to the premium edition does not merely entail the typical cloud-resource price increase of a few more cents per hour. Before making the decision to upgrade, it is important to evaluate the cost and risk of suffering a DDoS attack in your organization—which nowadays, are increasingly common and advanced—in terms of potential financial damage and lost revenue.

Especially when you’re protecting critical corporate workloads or high-volume traffic targets, the answer to invest in DDoS protection coverage should be a solid “yes.”

Coverage That Matters

Unfortunately, all of the above services usually fall short when the goal of the DDoS attack shifts or when the attack is very complex. The “Yo-Yo” DDoS attack is just one example of attacks that are gaining ground against cloud-based infrastructures. In this particular example, the goal is not to take the target offline (although that might happen) but rather to inflict financial damage to the target company by forcing it to unnecessarily scale up its cloud resources, exposing it to high costs without any corresponding gain in business value.

How does this happen in practice? The “Yo-Yo” attack starts with a massive DDoS, so the victim’s cloud infrastructure scales up automatically and deploys additional resources to adapt to the increased traffic needs. The DDoS attack then halts, and—this is the key element—waits until the autoscaling target system scales down its resources, then restarts the attack and forces the cloud system to scale up again. This cycle is then repeated indefinitely, which makes the system resources go up and down, therefore giving it the name “Yo-Yo.”

This is effective because customer resources are typically billed based on their deployment. The attacker’s goal is to minimize his own expenses while still forcing the targeted system to scale up resources far beyond the levels that are actually necessary. Cloud service providers charge their customers additional fees (to the tune of thousands of dollars) for these additional resources, while the customer receives no added value—no business/sales gained.

While the premium tier of cloud providers’ DDoS protection services often has a cost-protection feature, where these charges would be reimbursed to the customer, it is worth keeping in mind that this comes in the form of cloud credits, not a cash rebate. And arguably, this reimbursement is less valuable when you consider that it requires regular payments for the premium tier of service.

Other Weaknesses

In addition to being challenged by sophisticated attacks, the built-in Big 3 security tools have other weaknesses.

First, their scope is limited; they are meant for use on the vendor’s specific platform (especially the products for AWS and Azure). This means that they lose much of their attractiveness in multi-cloud or hybrid architectures; also, many organizations will object to the vendor lock-in that accompanies the use of built-in products.

But even in a single-platform environment, these products have additional limitations. The Big 3’s security tools can be challenging to use; most have limited automation capabilities, and they require the user to manually create and maintain rulesets for demanding or advanced uses.

This isn’t surprising. Cloud providers are not in the web security business; they are not trying to make the best WAF, or create the most advanced bot detection engine, or push forward the state-of-the-art in API protection or DDoS mitigation. Instead, they are trying to gain more customers and create more infrastructure usage.

Therefore, to obtain and maintain robust security, you need to supplement these products with more powerful capabilities.

Third-Party Solutions

To improve the security of your cloud against such attacks, it’s worth exploring third-party solutions made by specialized security companies such as our partner Reblaze that can also help you mitigate complex attacks.

Attackers are increasingly using unusual techniques to make mitigation difficult. Further, in a world that’s becoming more and more connected, attackers are able to exploit any type of internet-connected machine (including IoT appliances and cellular devices) to access millions of IP addresses and launch a volumetric attack. Reblaze includes DDoS protection as part of its unified security platform, along with its next-gen Web Application Firewall, API security, bot management, ATO prevention, and more. The platform leverages advanced intelligence capabilities and modern techniques such as behavioral analysis and machine learning, making it possible to identify different user and machine behavior patterns and detect whether each action is hostile or legitimate.

Adopting a Solution That Meets Your Needs

Today’s IT and cloud world is increasingly dangerous, with sophisticated attacks and driven by various forms of ill intent: financial gain, state-sponsored attacks, and ideological statements, among others. In these hectic times, it is worth enlisting the help of cybersecurity professionals like activereach and Reblaze to whom cloud security is their primary mission, and who offer a fully managed solution.

To learn more about how activereach and Reblaze can help you mitigate complex attacks, contact us here or call the team on 0845 625 9025


This article was shared from an original written by Spiros Psarris for Reblaze.