The DDoS community has
grown over the years and has become more involved for both the attacker and
defender. The challenges for a enterprise business to mitigate these attacks
locally , has become a nightmare & not practical. Even if you deploy a on-premise gear, that 100% blocks the attack,
the attacker still kind of won if he manages
to fill your internet uplinks with 100% useless traffic.
If you trust your ISP to mitigate, you normally get a very
bad result, since they cut with a broad sword. Asking your ISP to mitigate for
you is like going to the doctor with a small splinter in your finger and instead
of pulling the splinter out with a pair of tweezers, the ISP just cuts your
whole hand off, or worst cut your arm off. Your results would not be any better off
if you just left the splinter in your finger .
The new wave of mitigation involves, using a cloud base
approach. With cloud base DDoS solutions, we deploy a in-the-cloud datacenter,
and install a lot of mitigation gear and big fat pipes into these scrub
centers.
All in-the-cloud providers, hopes that the traffic inbound (
good and bad ) & at that one scrub
center is below their available capacity of that scrub center and no single customer exhaust resources. With the
in-the-cloud mitigation approach, you place all of your resources within the
cloud provider arena.
Look at this way, let’s say you where a 90lb petite female,
and you had to fight off Mike Tyson. The odds are against you that you will LOOSE.
So if you hire a whole bunch of guys weighing between 120-187lbs each, and
put them in front of yourself. The odds are now that you will win. Also they will get punch, kicked, bruised and black’d eye while
you sit back , and do your nails un-impacted.
If the attacks are very huge, you just throw in more guys or
switch them out with fresh bodies.
All in-the-cloud providers, have readily means to growth
their uplink bandwidth, and to scale their core mitigation gear wide and deep if
required. Also the ramp up to do this, is quick in most case or more quickly
than a large enterprise business could execute.
Now let’s look at what every in-the-could mitigation provides to some degree.
Now most solutions revolves around 1 of the 2 technologies listed below;
·
A reverse Proxy-server ( some brand of a SLB server-load-balancer appliance )
·
Or some type of virtual
tunnel or direct connection to the DDoS Service Provider network
In all of the above, they will need to steer traffic
into the Cloud, and away from you’re your front
door ( your network ). So with the proxy-server solution, we typically deploy a DNS A record
redirection & the change points your website to the Virtual-Server IP ( aka VIP ) and then all
bad traffic naturally flows to the VIP, if the attacker is using a attack via
DNS hostname.
Even if he ( attacker
) targets your ip-address directly,
you normally deploy some simple
fwpolicies to only allow deny direct access from the mitigation provider trusted
space.
The virtual-tunnel or direct-connected solution, just nails your full network space
behind the Mitigation provider space. All traffic entering your network space,
travels thru the service provider arena
first. This allows for inspection, monitoring , mitigation and filtering of
traffic. This connection is permanent and mutually agreed upon by the end-user
and provider of mitigation service provider. It offer highly uptime, and lower
latency.
With the Virtual-Server/direct-connections design, you can
now leverage cloud base WAF, compliances inspection, and other hosted security protection models such
as flowspec, fingerprinting and ip reputation scoring. We also have the means
to leverage AV/Malware cleanup at the expensive of even greater cost and
possible increased latency.
In all approaches, latency does increase to some degree, but
only due to your remote-client’s traffic must travel thru a path of the mitigation
provider network space & platform, in order to be inspected , policed and
hopefully allowed thru. This latency increase is normally minimal and within acceptable levels.
Now a few challenges exists with the cloud-base solution;
·
SSL inspection is still in
jeporday if certificates and web server private-keys
are not provided
·
In-the-cloud providers,
must maintain a higher number of bodies and offer 24x7 coverage for the monitoring and
mitigation process during the duration of the attack
·
Unless the service is always-on, it’s hard to determine when a
attack begins or even a quick means to even figure out the type of attack(s)
( I will speak more about
this in a future post )
·
Customer have to make
minimal changes, in order to integrate
into the service provider systems & networks
·
Training of their IT staff is time consuming
·
Attack intelligence is
limited, and not shared amongst providers, hampering quick distribution of
knowledge and threats indications
·
Almost no DDoS Provider ,
can honestly claim 100% effectiveness (
there’s always leakage and legit traffic that
get’s over mitigated )
·
It’s almost next to
impossible to use gathered forensic, to
identify and or prosecuted ALL attackers. The cost and the pure fact that the attackers could be
anywhere from here to Mars, make this
point very hard to followup on, or the attack src's are spoof'd or infected bot agents.
Now we need to look at what types of attacks these
in-the-cloud providers protect from.
Basically any and all.
Yes with the right mitigation gear ,we can easily defend from pure
bandwidth attacks , l3/l4 protocol attacks, redirection attacks, Layer7
application attacks, to include GET/POST floods or those base off
SQL injection.
With AV/Malware
supported gear, we can even cleanup the traffic from virus, worms and
Trojans. This along will reduce the chance of a infection or a machine that could later infected others or become a
member of a future bot attack.
DDoS mitigation is an on going chess game , of the good guys various the bad guys. In a never ending battle.
Ken Felix
Freelance Network and Security Engineer
Let the battles begin J
kfelix at hyperfeed dot com
No comments:
Post a Comment