David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
Let’s face it. DDoS are the big, fat, scary bully of the Internet. When organizations have sufficiently tight security or a would-be attacker doesn’t have the skills to overcome a target’s security, he or she can buy capacity on a bot-net or other delivery vehicle and slam packets from all over the world at the target’s site and application(s).
Without the proper protections, the target is at the mercy of the attacker and his or her budget. However, with the proper protections, the target, now defender, has the opportunity to respond quickly and ride out the storm. The issue is, what are the proper protections? That depends a little on what type of DDoS the target experiences. There are several types of DDoS attacks including volumetric, resource starvation, and application. (For more description on these types of attacks, see my previous Radware guest blog here.)
In this blog, I want to focus on a technique that has been maturing in recent years, providing excellent results for DDoS defenders. The technique is referred to as “Application Signaling,” “Cloud Signaling,” or in some cases just “Signaling.” The nomenclature variations are primarily vendor-driven for product or service differentiation but work to deliver the same end result: better DDoS mitigation.
This feature or service is a key step in the evolution of DDoS protection because it is the early warning system. For organizations that have a fully cloud-based scrubbing solution that monitors all of their traffic continually, they can respond quickly and can be very effective, but also very costly. The more traffic you generate, the more traffic they monitor, and the more expensive it can be. On the other side of the equation, if a defender is using an all on-premises solution, even if the solution can handle the scrubbing, most likely the DDoS will congest communications, Internet, and connection between the ISP/service provider and their data center to the point that service is affected anyway. The other issue is engaging a service provider to begin scrubbing can be fraught with delays, further exacerbating the business, customer, and revenue impacts.
Signaling is a means to efficiently bridge an on-premises data center protection solution to a cloud-based scrubbing center. Signaling is used to accelerate response timing and effectiveness helping to ensure the availability of data center infrastructures and applications during DDoS attacks.
To provide the best signaling intelligence between the site and the cloud the defense systems must share key information such as:
- Health information of internet link capacity (% utilization)
- Health information of information security & critical IT assets themselves (% CPU)
- Current Attack Information (Type, Bandwidth, Telemetry)
- Current Effective / Ineffective Defense(s) (e.g. signatures, challenges, etc.)
Each of these pieces of data are crucial intelligence for optimizing scrubbing of the attack packets while optimizing receipt of the desired business information.
Today, volumetric DDoS attacks can be detected by operations staff, but they still take time. Most times when attacks occur, systems and application administrators start by troubleshooting the system or application that appears to be having trouble, and after they work their way back they determine that the problem is a DDoS. This takes time and delays resolution. With signaling enabled, the DDoS defense systems in the data center identifies the attack much faster and can be configured to either alert the operators or automatically trigger a signal to the infrastructure of their service provider's network to activate and mitigate the attack. A volumetric DDoS attack would be significantly diminished or removed altogether from the data center's access links, restoring service well before administrators could troubleshoot and manually isolate the problem.
Application and resource starvation DDoS attacks attempt to degrade the Internet-facing applications and their supporting processing, database, and distributed storage components. In the most insidious cases, resource and application-level attacks may cause an application server to stop processing new requests because all of its open ports are engaged waiting for client data. This stops real customer requests from being processed. By creating a simple feedback loop that connects the premises to the cloud service center, defenders can stop targeted application attacks.
Because bot-nets can be rented relatively cheaply to deliver a large amount of traffic to the target, the economies of scale for DDoS are on the side of the attacker. Using signaling to accelerate response and provide clean traffic with minimal service impact and reduced ongoing data loss begins to move the indicator away from the attacker. If the defender feels little to no impact of a funded DDoS attack, the attackers will not see the value and find another means to their ends.
Radware offers these defensive capabilities by integrating its cloud scrubbing center with its on-premises solutions, thus accelerating comprehensive detection and mitigation of all forms of DDoS attacks.