Bumper to Bumper: Detecting and Mitigating DoS and DDoS Attacks on the Cloud, Part 1

This is the first installment in a two-part series about DDoS attacks and mitigation on cloud.

In the digital age, the security of applications and networks are of paramount importance. Networks are under increasing threat from a growing number of cybercriminals — both individual actors and organized groups — around the world. The demand for qualified security professionals is escalating by the day as organizations become more aware of the consequences of these threats.

Attacks can take various forms and target many different parts of your environment, such as the network, transport and application layers. Application-layer vulnerabilities can arise due to insecure coding or use of faulty components. Actors can exploit these vulnerabilities to deface applications, steal, modify or delete customer data, or bring down applications and systems altogether.

One way to disrupt services is to flood networks and applications with overwhelming volumes of traffic. We’ll focus on two of the most common methods cybercriminals use to inflict this type of damage: denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

DoS Attacks: Malicious Traffic Originating From a Single Source

Attacks that bring down systems and cause downtime are called DoS attacks. DoS attacks can occur over various layers of the Open Systems Interconnection (OSI) model. Campaigns that aim to flood the network or consume resources to deny genuine traffic are best handled at the network or infrastructure level using firewall rules and an intrusion detection system (IDS).

Application-level (Layer 7) DoS attacks are hard to detect because they appear as normal traffic with complete Transmission Control Protocol (TCP) connections and follow protocol rules. These attacks can target applications that directly bypass the firewall. Most common forms of Layer 7 DoS attacks are related to HTTP traffic, such as targeting the web server and application. Others forms might target services such as the Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) and Secure Shell (SSH).

DoS attacks usually originate from one source. System administrators put in place myriad methods and filters to detect such incidents. When a DoS is detected, an IDS can stop the attack by blocking traffic from the questionable source.

DDoS Attacks: An Onslaught of Traffic From Multiple, Disparate Sources

Cybercriminals have discovered that they can circumvent DoS defenses by employing a technique known as distributed denial-of-service. In this type of attack, malicious traffic originates from multiple sources scattered across the globe and converges upon one system or network. As a result, IDS solutions and firewalls have difficulty detecting and blocking DDoS incidents.

Attackers can use their own systems or exploit other vulnerable devices to route the attack. Increasingly, DDoS-wielding cybercriminals use botnets made up of devices they commandeer from unsuspecting victims using social engineering tactics, such as phishing, or by exploiting vulnerabilities within those systems. The DDoS threat vector has grown in size and sophistication over the past few years.

DDoS Variants

Cybercriminals use DDoS attacks to flood networks, systems or applications with more traffic than the target can handle, causing it to crash or go out of service. Let’s take a closer look at some DDoS variants and determine how organizations can assess the risk and mitigate the threat.

Volume-Based Attacks

A volume-based DDoS attack aims to exhaust network bandwidth, which is limited for companies of all sizes, by leveraging botnets. Due to the increasing proliferation of connected devices, botnets with more than 1 million nodes are very common and accessible. Such a botnet can easily choke the network of a midsized company, thereby blocking all legitimate traffic.

Protocol Attacks

This type of DDoS attack is designed to exploit weaknesses in the Layer 3 and 4 protocols. Unlike volume-based attacks, which aim to saturate the target’s internet connection, protocol attacks cause disruption with relatively small amounts of network traffic.

Take TCP, a well-known Layer 4 protocol. For a connection to be established, the system must complete a three-way handshake. Attackers can exploit this process by sending only SYN packets and no ACK packets, keeping the connections open. This is known as a SYN flood attack, which exhausts the number of connections available to legitimate traffic.

Application-Layer Attack

An application-layer DDoS attack is designed to disrupt service by exploiting vulnerabilities within applications. The malicious traffic is in protocol, meaning that it is legitimate with regard to the protocol. This makes it difficult for detection tools to identify malicious traffic.

Risk Assessment and Potential Consequences for CSPs

DDoS attacks can cause significant risks to both cloud service providers (CSPs) and their clients. Cybercriminals might launch DDoS campaigns to bring down enterprise applications or simply for personal satisfaction. Malicious actors have even used this method to extort money from victims.

These attacks can last anywhere from a few hours to a few weeks. For CSPs, DDoS incidents can lead to negative publicity, and it might take years to repair the reputational damage. Long service outages can result in revenue loss for both the cloud provider and its clients. Finally, DDoS attacks against banking and financial institutions can expose sensitive customer data, including credit card information.

In the second installment of this series, we’ll look at examples of simulated DDoS attacks, and discuss mitigation strategies and techniques cloud security teams can employ to protect their networks from this threat.

Srikanth K Ballal

Infrastructure Architect - Application Security, Cloud Migration, IBM

Over 17 years of experience in IT industry encompassing a wide range of skill set, roles and industry verticals....