Why Cloud-based and ISP-based Scrubbing Alone Are Inadequate.
On occasion, the topic of DDoS defense has come up and invariably goes to, “Why can’t organizations rely on ISP and cloud scrubbing services to protect themselves from DDoS attacks?” The conversation also rolls over to, “Why can’t organizations rely on on-premises solutions to protect themselves from DDoS attacks?” The latter is usually asked by someone who is a novice in the field, but both are valid questions. The true answer lies with a combination defense or, to coin a common security phrase, “defense-in-depth.”
First of all, we cannot rely solely upon on-premises solutions because of the volumetric aspects of DDoS attacks. Most organizations cannot deal with multi-Gbps attacks because their connection lines will fill up, and then, game over. If they are using a CDN to help deal with the attack, then the attackers need only rotate the pages they are requesting to make caching in the CDN ineffectual because they are not requesting cached data. However, this is not to say that on-site defenses are not valid or viable. They have their place and are quite useful. I will come back to that later in the blog.
Now to the larger question of, what about using a cloud-based or ISP-based scrubbing solution and why are they generally inadequate by themselves?
First let’s look at ISP-based scrubbing. Excluding those ISPs that have third-party contracts with cloud providers and are therefore performing scrubbing services-in house via their own infrastructure, the first issue is the capacity of those providers varies greatly depending upon which one is used. If users are unlucky enough to be on an area of the backbone that is already near capacity or connected through a peer relationship from a smaller provider to a larger provider that area of the backbone is guaranteed to be overwhelmed when a volumetric DDoS attack hits.
Additionally, even if the provider is able to handle the volume overall, if the performance impact to the other customers in the target’s network segment becomes sufficient, based on the providers internal metrics, the ISP reserves the right to protect the other customers, which generally means all of the traffic that could be DDoS is routed into a DNS black hole at the closest ingress or peering point the ISP maintains. The issue with that is, with the diversity of IP address across mobile and conventional devices, legitimate business traffic is guaranteed to get caught in the filtering. ISP’s are built to route packets from A to B. They are not generally equipped to scrutinize packets to identify application-based, multi-vector, and other more sophisticated attacks. Many enterprises use multiple ISPs and in these instances the challenge of detecting and mitigating DDoS attacks adds another layer of complexity and vulnerability to ISP based only DDoS protection.
Second, while no one will argue that the major cloud-based scrubbing vendors have the capacity to deal with huge volumes of traffic and in fact those educated in the area of DDoS wholly support the use of those cloud services for bulk defense, most if not all of the experts not affiliated with a cloud service will agree that they often have limitation in other areas. One of the largest difficulties they have is discerning between legitimate traffic and application level DDoS attack traffic. Application DDoS traffic does not rely on the brute force of volumetric DDoS, but more finesse centered on how the application receives and processes data. By targeting weak points in the application design or the implementation architecture, a devastating result can be achieved with far less traffic that in many cases falls below levels that would trigger detection and response from a cloud service.
Without advanced IP-agnostic technologies neither an ISP nor a cloud vendor will be equipped to deal with Dynamic IP and bot attacks. This puts customers subscribing to those services for embedded DDoS protection at a significant disadvantage.
So where does that leave organizations threatened by or concerned about DDoS attacks? It leaves them looking at a hybrid solution. The ISP or cloud-based service is carefully chosen to meet the organization’s needs to provide the bulk filtering and then the on-premises solution is implemented to identify and filter the targeted attacks such as multi-vector/blended, application, encryption, dynamic IP and Bot attacks. With 35% of DDoS attack victims being targeted with encryption-based attacks and 37% being targeted with and ransom-based motives, customers relying on DDoS protection services not specifically designed to address the breadth of attacks being delivered will be at a significant disadvantage.
In this defense-in-depth strategy, premier cloud and ISP contracted services will filter out the large volumes, should they exist, using best practice techniques while the on-premises filtering finely scrutinizes the multi-vector, application, encryption, ransom, dynamic and bot –based attack traffic to allow the real business traffic to continue with little to no interruption in business. Even better is if/when the on-premises and the cloud service can communicate to improve each other’s filtering capabilities. This is a cutting edge “bonus” feature so the cloud service can be made aware of the start of a DDoS attack by the on-premises solution to initiate filtering before the traffic hits critical levels. In application attacks, the on-premises solution can send the cloud service information concerning the application and encrypted DDoS attack traffic it identifies so that the cloud can stop more bad traffic further from the target’s network.