Cloud users should validate vendor-based DDoS protection services
DDoS attacks continue to be a major source of concern for cloud security teams worldwide. Even though 97% of organizations already have DDoS defenses in place, eight in ten report they plan to increase these defenses in the coming year. (1) This is important because DDoS is increasingly accompanied by secondary attacks, such as malware activation, data theft, and ransomware. In addition, repeat attacks are common. One study found that 76% of organizations previously hit with a DDoS attack were attacked again within 12 months. Attacks and breaches are experienced across all organizations of all sizes, with no segment being spared.
Unfortunately, attacks continue to grow in size and complexity. There is a whole sub-market offering DDoS “services” (aka attack plans) to anyone willing to pay the affordable price. More work is obviously needed to keep organizations safe. Last year, IDG Research published research noting key security enhancements needed to keep up with the evolution of modern DDoS attacks.(3)
The most common DDoS attacks are those at the infrastructure layer. As organizations have shifted more workloads to cloud infrastructure, public cloud providers have become a prime target for attacks. Successful attacks on shared infrastructure can allow attackers to target multiple organizations and increase their payday. To mitigate DDoS attacks on their own infrastructure, large cloud providers use DDoS-resilient global architectures and monitoring systems that automatically detect and control traffic “floods.”(4)
Infrastructure attacks are also targeted at the virtual resources of cloud users. Cloud providers help their customers address this threat in two ways. First, they make it easier for customers to obtain the additional capacity needed to continue processing legitimate interactions during an attack. Secondly, they offer dedicated monitoring systems to help cloud users configure more effective DDoS protection policies.
Microsoft, for example, recently introduced a new Azure DDoS Protection service that provides protection by learning a cloud application’s normal traffic patterns and automatically mitigating an attack when one is detected. Subscribers also receive advanced telemetry and alerts relating to attacks carried out against the application. AWS and Google have similar offerings. All these solutions can be integrated with the provider’s web application firewall service, to further boost protection.
While this DDoS protection service will be compelling to many organizations, those that are particularly sensitive to disruption will want to take a proactive approach and validate that the service actually operates as described by their cloud vendor. No one wants to suffer an outage in order to find out their DDoS protection has a gap in its coverage. To prevent this, organizations should assume they will be targets and perform regular validation tests to understand the tolerance of their security systems.
Working in coordination with Microsoft, Ixia has now introduced a security validation solution that lets security teams safely simulate realistic DDoS attacks on their Azure cloud resources and measure how fast their systems detect and react to the situation. This type of testing helps teams optimize their response by letting them see the impact of configuration changes and tuning their policies to reduce the time it takes to mitigate an attack. Ixia BreakingPoint Cloud Validation for Microsoft Azure DDoS Protectionhas been tested and approved by Microsoft.
The level of DDoS activity taking place every day across the internet shows no sign of decline. For this reason, every organization should ensure they are well prepared and put the best possible defensive strategies in place.