Why DDoS is More Dangerous for Cloud and Data Center Providers
Last week we continued our article series on DDoS protection in a connected world. This week we'll focus on how DDoS impacts the daily lives of data center professionals.
The reason for this is threefold:
As a result, various businesses (e.g., gaming, finance, etc.) need additional customized DDoS mitigation solutions that provide more comprehensive and efficient coverage. For example, Microsoft Azure is closing this gap by allowing customers to add inline DDoS protection through network virtual appliances (NVAs) available in the Azure marketplace. This is made possible by using Azure’s Gateway Load Balancer (LB) feature. The Gateway LB ensures that relevant NVAs are injected into the ingress path of the internet traffic as it heads toward Azure-hosted applications and services.
We’re now thinking beyond the traditional security parameters and focusing on new and emerging threats. However, there is a significant challenge we have to overcome. How do you know if you have a legacy or modern solution protecting you from DDoS?
DDoS: Legacy vs. Modern Protection
By nature, DDoS attacks are largely brute force; they are often perceived as crude. Legacy DDoS defense solutions were designed to protect network infrastructure from attacks, leaving legitimate users without a connection to the online resources they need. Maintaining service availability for users during a DDoS attack is the primary reason to deploy a DDoS protection solution. The solution has failed if legitimate users can’t access the necessary tools. The focus should be on legitimate users and protecting network infrastructure.
Remember, effective DDoS defenses must be precise, with the ability to intelligently distinguish legitimate users from attacking bots. Solutions that focus on strategies like Remote Triggered Black Hole (RTBH) and service-rate limiting to detect attacking botnets fall short because they are indiscriminate and can block access for legitimate users. Meanwhile, legacy DDoS defense solutions rely primarily on bits per second (BPS) and packets per second (PPS) thresholds to protect infrastructure.
Here’s the big question, how do you know if your solution is still legacy? Consider this checklist:
- Your DDoS solutions rely on RTBH and traffic shaping
- You are prone to false positives and false negatives
- You have too many screens to analyze and suffer from the ‘swivel chair analysis’ problem
- You lack actionable threat intelligence
- The solution is ineffective against sophisticated targeted network and application layer attacks
- You still require extensive manual, reactive analysis, and intervention
That last point is key to understanding. We need to talk about automation and improved intelligence.
Not only does a DDoS attack diminish availability, but it also takes people away from valuable work.
No organization has unlimited people or resources. Because of that, efficiency is imperative. Yet legacy DDoS defense requires a lot of manual intervention during wartime. It also involves a lot of people to resolve network challenges and takes away from other critical business and technology priorities.
This is unsustainable for any organization. Not only does a DDoS attack diminish availability, but it also takes people away from valuable work. Instead of working on tasks that benefit the business, people are pulled into a firefight.
Organizations need automated DDoS protection strategies that eliminate the manual intervention often required to defend against attacks. Leveraging automation based on pre-set policies maximizes effectiveness while minimizing the chances of false positives, thus preserving resources by keeping them focused on essential tasks and not battling DDoS.
Another critical point is creating a defensive DDoS strategy in your primary locations and at the edge.
DDoS Defense at the Data Center and Cloud Edge
To overcome legacy DDoS protection challenges, look for solutions that scale to defend against the DDoS of Things and traditional zombie botnets. Further, your solutions must detect DDoS attacks through high-resolution packets or flow-record analysis from edge routers and switches. Unlike outdated DDoS defense products, modern DDoS defenses include detection capabilities across crucial network elements, including application delivery controllers, load-balancers, virtual network services, and more. These capabilities provide the context, packet-level granularity, and visibility needed to thwart today’s sophisticated attacks.
Download the entire special report, The Security Gap: DDoS Protection in a Connected World, featuring A10, to learn more. In our next article, we’ll shift our focus from experiencing these attacks to defending against them.
