Recently, the JNS team was consulted to provide a DDoS risk assessment for a high profile client. The client has a mixed environment of cloud-based virtual systems on Amazon Web Services, and physical systems on a managed hosting provider. Multiple areas of risk were discovered, and mitigation strategies were presented to address these. This post discusses, in brief, the most common DDoS mitigation strategies (there are many others). If you are experiencing a DDoS attack, or would like assistance in formulating a strategy to protect your site, please contact JNS.
Strategy #1 – Hide Behind Your CDN
Clients with limited resources and a pre-existing contract with a content distribution network (CDN) often use this strategy. The basis for this mitigation strategy is to conceal the client’s modest web server resources behind the much larger resources of a CDN provider. This strategy requires that all resources (static and dynamic) be served through the CDN. Services that do this include Akamai’s Dynamic Site Accelerator product or Edgecast’s Application Delivery Network. This mitigation strategy is well suited to stopping many layer3/4 attacks including ICMP/UDP floods, SYN floods, Slowloris attack, and connection exhaustion attacks due to the proxy behavior of the CDN. This strategy will not protect against layer7 targeted application attacks as they will simply be passed by the CDN to the underlying client servers.
Strategy #2 – Auto-scale in the Cloud
Many clients operating in the cloud attempt to mitigate a DDoS attack using the scale out capabilities inherent in most cloud services. The basis for this mitigation strategy is to automatically expand the client’s cloud resources to match any increase in demand; whether they are legitimate requests or attack traffic. This strategy is particularly appealing as it requires minimal changes to the client infrastructure. The caveat of this strategy is that all components of the environment must auto-scale. This is often difficult or impossible to do with relational database components. This leaves any database driven resource susceptible to DDoS attacks.
Strategy #3 – DDoS Hardware Mitigation Solutions
For clients with control of their own servers and networks, dedicated DDoS mitigation hardware is often the first solution that comes to mind. If a client’s infrastructure is large enough this provides excellent DDoS mitigation. However, recent DDoS attacks can often exceed 50Gbps of traffic requiring substantial network resources to absorb the attack and let the mitigation hardware do its job. Hardware solutions are capable of mitigating virtually all attacks provided that the network can withstand the traffic volume.
Strategy #4 – Dedicated Mitigation Services
Mitigation services provided by companies like Prolexic and Verisign offer a solution that allows the client to outsource DDoS mitigation to a purpose built mitigation network. These services often work in one of two methods. The first is a proxy-based service that with a simple DNS change directs all traffic through the mitigation network. The traffic is filtered, then the clean traffic is proxied through to the client systems. The second method, involves creation of GRE tunnels between the mitigation vendor’s network and the client’s infrastructure. During an attack, the client alters BGP announcements to force all traffic destined to their network to pass through the mitigation network. The mitigation network cleans the traffic, and then passes it along to the client’s network via the GRE tunnels. This strategy is capable of handling virtually all attacks including layer7 application attacks. The largest mitigation vendors have capacity to handle in excess of 500Gbps of attack traffic.