The frequency and extent of distributed denial of service (DDoS) attacks continues to increase. And cloud service providers may well be even more prime targets for attackers. Their business model is based in particular on the ability to provide high-bandwidth Internet connectivity to and from the virtual instances of their customers. Accessing this windfall directly on the supplier’s infrastructure, or indirectly by attacking one of its customers, would easily make it possible to take DDoS to a much larger scale. Is this a real threat? And how can a company using Cloud services protect themselves from it?
In the past, a group of cybercriminals exploited Elasticsearch’s vulnerability CVE-2014-3120 and the Mayday Trojan for Linux in order to compromise several Amazon EC2 virtual machines. This vulnerability was not exclusive to cloud systems and could have been used against any server. But its use against cloud systems has opened up interesting opportunities for attackers.
They were thus able to launch UDP-based DDoS attacks from compromised cloud instances. The attackers then took advantage of the outgoing bandwidth of the cloud service provider – Amazon, in this case. A very undesirable situation.
Because, if the IP address ranges of a public cloud service provider are linked to DDoS attacks, they risk being found on blacklists, including those of corporate firewalls. Customers of the service provider may then encounter difficulties in accessing them or even suffer from unavailability.
The likelihood of such an incident happening across a public cloud service provider is low, but the impact, for both themselves and their customers, could be dramatic.
The risks of a DDoS attack in Cloud mode
Cloud service providers have large-scale DDoS protection systems for inbound traffic. They also monitor outgoing traffic and may even stop hosts involved in attacks. As it stands, this tends to protect these providers well against cloud DDoS attacks.
But stopping virtual machines would not have anything desirable for its owner, since this would induce unavailability of its hosted services. It is therefore in the interest of customers to secure and supervise their hosts in Cloud mode, themselves or via a third party.
Similarly, the owner of a virtual machine has no interest in being involved in a DDoS attack and mentioned on a blacklist: this could result in loss of web or email services due to ” blocking with tools to protect against malicious activity, for example.
Detect and prevent a DDoS attack in cloud mode
Many benchmark practices specifically aim to reduce the risk and impact of unwittingly participating in a DDoS attack.
Any cloud platform client should have a well-configured firewall on exit, avoiding the need to shutdown virtual machines that may be compromised by the host. This filter can, for example, block outgoing NTP traffic, or any request from an external Web server past a certain threshold of connections per second. This firewall should also be supervised. It is one thing to block traffic with a firewall, it is quite another to find the real source within its infrastructure.
Outbound DDoS traffic is often associated with malware installed on one or more systems, which links them to a much larger botnet. And attackers can usually have complete control over compromised systems. This can lead to data theft or even extortion attempts. Malware detection devices on hosts and intrusion prevention are imperative for any system.
Products and services dedicated to the fight against DDoS can also be used. This involves re-routing all incoming and outgoing traffic to these systems. But with a third-party provider, the outgoing bandwidth of the Cloud host would, however, be consumed by the machines participating in a DDoS attack. And in the case of the use of a dedicated Cloud product, it is the incoming bandwidth of the host which would continue to be consumed on its client came to be the target of a DDoS attack. It is therefore important to study the method most suited to its environment.
Finally, well-designed intrusion prevention or detection systems could detect malicious or at least suspicious traffic. This is not necessarily enough to identify DDoS-related traffic, but it can detect and block communications between malware and command and control centres. Which is even better.
Participating in a DDoS attack without your knowledge is a bad thing, in any case. But the associated risks appear higher with public cloud hosting. And not just because of the attack itself, but because its systems are likely to be shut down by the host and the excessive consumption of its resources could result in a steep bill. However, with the right security measures, most of these risks can be controlled. From there, the company can think about protecting itself from DDoS attacks targeting it.
About the author
DMTwebhosting.com’s Editorial Team prides itself on bringing you the latest web hosting news and the best web hosting articles!
You could also link to the news and articles sections: