Distributed denial of service (DDoS) is one of the most insidious types of digital attacks that can cause cloud outages. It is typically directed at a specific target, and if done competently, can bring an application or even all network traffic to its knees. In general, DDoS is a way of flooding a server with traffic or malformed packets that either overwhelm its processing power or make it wait in order to respond. Either way, the enterprise, or at least an individual application, is blocked from the network.
Of course, rather than a single server, most modern applications are distributed across multiple servers in a server farm, or even across multiple server farms in the cloud. But different application and network architectures don’t prevent DDoS attacks. A well-executed attack can bring the entire enterprise application to a grinding halt. Usually these attacks occur from highjacked systems or devices, which can number in the thousands. These systems can also be spread around the world, so that it is impossible to localize the source of the attack.
Different types of DDoS attacks
DDoS attacks can fall into one of several categories. The first is volume attacks. Volume attacks are just what the term implies – a large volume of traffic that consumes all of the bandwidth to that system. These are probably the easiest attacks to perpetrate, and most difficult to defend. There ware also protocol attacks, and application-level attacks.
Two types of volume attacks are UDP floods and ping floods. UDP floods are the classic case of sending of large numbers of packets to a server, without waiting for a response. Ping floods do the same, except that they send a continuous sequence of pings, without allowing time for response. The uses up computing resources, including processing power and network bandwidth.
Some attacks involve malformed packets that don’t follow protocol rules. The ping of death, for example, creates larger-than-allowable packets that are broken up for transmission, then reassembled at the destination. Because the reassembled packet is too large, it can cause buffer overflows or other memory errors.
Last, application-level attacks target individual applications, often using continuous HTTP GET or POST requests to tie up the application. This often doesn’t max out bandwidth, but it uses server resources responding to the HTTP requests. This could max out server capacity fairly easily.
Is there an effective defense?
DDoS attacks can occur for any reason, or no reason. Attackers may have a vendetta against an enterprise, or may be trying to blackmail it. Attackers may be trying to demonstrate a particular skill to gain status in the industry, and simply chose your enterprise at random.
There are few reliable ways of preventing a DDoS attack. One is to maintain a separate server farm on a different network segment, with a different DNS. If the network incorporating your primary DNS is being consumed, you can switch to the secondary DNS on another network segment. Depending on the type of attack and where it is attacking, switching to a secondary DNS can let traffic through. That’s a potentially expensive solution, however, because it requires an essentially duplicate cloud infrastructure.
But early detection is possible, and can help mitigate the damage. If you are using the crowd to benchmark your commercial SaaS application against others, it can make a difference. You might notice your own response time trending upward, well over the average of all users of that application. That could be an indication of an attack on the application as it is serving your enterprise. Armed with this information, you can contact your provider, inform your user base and batten down the hatches to rid out the DDOS storm.
Depending on whether you organization is leveraging SDWAN, cloud-based Proxy or MPLS solutions, you maybe able to alter your traffic routing temporarily to alleviate and improve cloud application access. Having real-time insight into the traffic and access performance your different branch offices are experiencing will give you an idea if traffic re-routing will help or hurt the situation. If response times are increasing across the crowd, the attack may be directly at the application. Monitoring your commercial SaaS applications may be the most cost-effective way of getting the jump on any attacks you may face.