DDoS Protection for the Cloud

The contributed piece below -- published in DatacenterDynamics from Darren Anstee of Arbor Networks -- is relevant to AIS and our customers.
Rest assured, we have MULTIPLE layers of security in place for DDoS and many other types of threats.
Please feel free to contact us if you would like to know more.
Emphasis in red added by me.
Brian Wood, VP Marketing

Protecting the Cloud from the DDoS Threat

DDoS is becoming deadly for the data center, says Darren Anstee, solutions architect team manager at Arbor Networks
Security threats are constantly evolving and for most organizations, keeping track of the ever-changing threat landscape is an on-going challenge. However, this is becoming increasingly important for Internet data center operators as they are increasingly being targeted by all kinds of cyber-threats, with one of the most significant being DDoS (Distributed Denial of Service) attacks.
DDoS attacks have grown in size, complexity and frequency over the past decade and many organizations are now being targeted. It’s not just high-profile, politically-connected organizations that are at risk. Any enterprise which uses the Internet to sell products, offer services or to access cloud based data and applications – which applies to almost any sector and size of business – can become a target, because of who they are, what business they do, who they partner with or for any other real or perceived affiliation. The range of motivations behind DDoS attacks has broadened considerably – ideological hacktivism, extortion, disguise of other cyber-crime, vandalism, competitive weapon etc, -  and a broader range of motivations means increased risk to many businesses.
The latest Worldwide Infrastructure Security Report (WISR), authored by Arbor Networks and released in January 2013, provides a key insight into the threats that are out there and the ways in which we deal with them. The WISR is based on an annual survey of the broader operational security community, and is designed to bring together the observations, experiences and concerns of operational security professionals around the world.  This years’ report reveals that nearly half of the respondents who operate Internet Data Centres now experience DDoS attacks, and 94% of those experience attacks regularly.
So why is this such a concern?
Internet data-centers represent a target rich environment for attackers and there has been a substantial increase in the proportion of WISR survey respondents who have seen attacks targeting their IDC infrastructure (61% up from 33%) and ancillary service infrastructure (DNS etc., 42% up from 16%), as well the usual high proportion of respondents seeing attacks targeting data-centre customers. Coupled with the increased frequency of attacks, mentioned above, data-center operators are having to dedicate resources to deal with this growing issue – and the costs can be considerable.
This year’s report shows that 88% of WISR survey respondents operating data-centers incurred increased operational expenses in 2012 due to DDoS attacks, with 31% also experiencing customer churn – something every service provider seeks to avoid. DDoS attacks target service availability, and if a customer can’t access their data or application then it can seriously impact their ability to do business.
Attacks are increasingly targeting infrastructure within the data-center. This infrastructure is often shared between multiple customers meaning an attack against one customer of a data-centre can have an impact for many. Looking at this from the data-center customers’ perspective, there is an increased need to consider not only their own risk of attack, but also the risk of any other organisation utilizing the same data-center services. Customers are increasingly looking for their data-center service provider to have DDoS protection solutions and services in place to mitigate these risks.
How to protect yourself from such attacks?
Security concerns around cloud-based services and shared data centers are now more valid than ever before, especially against the backdrop of increased legislation surrounding data protection and other government and corporate audit requirements. Data center operators should ensure that they adequately protect both the availability of their service(s) from the Internet, and the security of customer data and applications within the data-center.
With this in mind, data center operators must have a much greater understanding of their attack surface, as some threats, like DDoS attacks, require a different approach to security. The WISR shows a significant growth in the proportion of respondents using firewalls within their data centers as protection from DDoS attacks. While firewalls can offer protection from some DDoS attacks, they only provide a partial solution and can’t deal with more sophisticated application layer attacks. To make matters worse, they can also be targeted either directly or indirectly by state-exhaustion attacks - in fact 35% of data center service providers who responded to the survey saw their firewalls fail last year due to DDoS attacks.
A more comprehensive approach needs to be adopted; both in-cloud and on-premise DDoS mitigation solutions should be deployed. In-cloud protection is needed to address high volume flood attacks which saturate data-centre connectivity, and on-premise protection is needed to pro-actively detect and block more stealthy state exhaustion or application-level attacks. The increase in the proportion of WISR survey respondents seeing what are known as multi-vector DDoS attacks (up from 32% in 2011 to 46% in 2012) re-enforces the importance of this layered approach.  Multi-vector attacks comprise of both large volumetric attack vectors – aimed at causing link or network congestion – combined with application layer attack – targeting services directly.
Layered DDoS protection can allow data centers to protect the availability of their services. These days anyone can launch a sophisticated DDoS attack by hiring a botnet, or simply downloading freely available tools from the Internet. Appropriate protection can ensure the availability of data-center services, and can minimize the operational overhead of dealing with attacks – and minimize the chance of dissatisfied customer’s taking their business elsewhere.