“Cloud Services” are a wide range of services delivered on demand to organizations over the internet, designed to provide easy and affordable access to applications and resources, without the need for internal infrastructure or hardware. There are three basic types of cloud services: Software as a Service (SaaS) which is the most recognized and a very broad category on its own, encompassing a variety of services such as file storage and backup and project management tools, among many others. Platform as a Service (PaaS) is a model where a third-party provider delivers hardware and software tools to developers over the internet. Many vendors who supply PaaS services will also supply the most relevant type of cloud services when talking about the DDoS threat: IaaS.
Infrastructure as a Service (IaaS) provides what it promises in its name: the infrastructure to eliminate the need for on-site installations. These services promise, as part of their service, extensive cyber defense services, including WAFs, CDNs, and DDoS protection-related services. Among the well-known IaaS service providers are Amazon Web Services (AWS), Microsoft Azure, IBM Cloud Rate, and Google Compute Engine. While cloud services provide users with a convenient way to use resources due to the pay-per-usage model and the ease of access-they also have significant drawbacks when it comes to DDoS security. It is true that cloud services can save a lot of time and budget, but despite said benefits, cloud services are highly vulnerable to DDoS threats, as Layer 7 DDoS attacks are evolving and becoming more sophisticated and malicious.
Why are DDoS attacks so dangerous for Cloud Services?
DDoS attacks rely on multiple machines to overwhelm the target with many data packets with the main purpose of shutting down service availability and disrupting the customer experience. As many organizations are moving to the cloud and becoming dependent on cloud services for their business continuity, DDoS cloud protection is one of the key elements that must be in place for an organization to safely operate. But there is a severe problem with DDoS protection in the cloud. A typical cloud infrastructure includes several servers operating virtual machines. Said machines will sometimes operate in a “Scale-Up” scenario, also referred to as “Auto Expansion”, which means that whenever a service is reaching peak utilization, another machine steps in to handle the workload. This type of protocol is used for both operations and cyber defense purposes. But DDoS attackers exploit this protocol to carry out their attacks in several ways.
DDoS attacks can overwhelm the entire virtual network of machines, attackers can plant Trojans in insecure machines over the target web services, machines can be “recruited” to a “bot army”, and more. Like most mitigation vendors, cloud service providers offer adequate DDoS protection to layers 3 and 4, and 7, but DDoS protection has proven to be a challenge for them. It is virtually impossible for such vendors and service providers to test their DDoS protection layers without shutting down their networks, and the client’s services. Red team tests, which are the most effective means at their disposal, is a disruptive and limited process that will only uncover a fraction of the actual DDoS vulnerability..
On-site networks require constant configuration of layers 3 and 4 DDoS protection, and there are several ways to achieve that. But layer 7 DDoS protection requires even more configuration due to the sheer volume of updates and internet protocols. In addition, Account Takeover Prevention (ATP), which is a security standard for cloud services protection, is not effective against DDoS attacks because it detects potentially unauthorized access, is rarely updated, and is mainly used for protection against DoS attacks. Layer 7 DDoS readiness requires customization per specific attack surface, and it is simply impossible to configure layer 7 defense layers at the desired rate using standard practices. This leaves any organization that uses cloud services for IaaS extremely vulnerable to a DDoS attack, and the statistics don’t lie. The attack will eventually happen.
Approximately 23,000 DDoS attacks are occurring somewhere on the internet every 24 hours, and in 2022, roughly 10 million DDoS attacks were launched. Layer 7 DDoS protection requires a lot of configuration and miss-configurations will cause damage, both to the network’s resilience and to business continuity. Over 13% of cyber breaches in the cloud are caused by human misconfigurations, and that is a tall order to pay.
What can organizations do to have DDoS cloud protection?
If there is no cloud-based DDoS protection system in place, a DDoS attack will result in denial of service, which causes major trouble to service availability on the end-client side. For the target itself, the flooding will raise the cloud usage bill drastically, resulting in massive monetary losses and reputational damages. So, when a client is using one of the leading cloud services providers, such as Azure or AWS, what can they expect, in terms of DDoS Protection? In most cases, the cloud services provider will not disclose their full protection protocols, but all cloud providers have a feature similar to an Access Control List (ACL). The ACL allows or denies specific traffic at layers 3 and 4, but many organizations open up these ACL’s to the public internet. As a result, the ACL’s open their own cloud environment, rendering them vulnerable.
Scrubbing Centers are the baseline for layer 7 DDoS protection and are usually accompanied by CDNs, which can help distribute traffic across multiple servers, making it more difficult for a DDoS attack to overwhelm a network. But CDNs are not enough, as experienced attackers will dig up a machine’s IP in the cloud and will be able to exploit it to their advantage, rendering the CDNs as a reactive measure. WAFs are also reactive and can only block known attack vectors against known vulnerabilities. WAFs must be configured to tell the difference between malicious traffic and normal expected traffic, which is essential to mitigate the DDoS threat. Because a successful DDoS attack is the one that targeted the unknown vulnerability, CDNs, and WAFs are simply not enough.
That leaves the ultimate reactive step, which is a response to a DDoS attack. Response teams are costly, and they will not prevent the attack, but try and remediate the damaged network after the fact. By then, clients were denied service, monetary losses occurred, and reputational damage had already happened. The only way to be DDoS resilient when using cloud services IaaS is to be proactive before that attack arrives. RADAR™ is the only solution that visualizes and measures every layer of DDoS security, allowing cybersecurity teams to take a focused proactive approach. By closing the DDoS remediation loop from insight to action and working with the mitigation vendors and cloud services providers, RADAR provides visibility into misconfigurations and prioritizes a remediation plan and validation efforts.
Cloud services users purchase plans that guarantee DDoS protection, and the common misconception is that if one machine is hit with a DDoS attack, another machine takes its place, thus keeping business continuity. But auto-expansion is not DDoS protection, and typical solutions are not enough and cannot sustain the overwhelming traffic and multiple attacks vectored DDoS attacks, such as reflection attacks. To ensure business continuity and remain DDoS resilient, an organization must have complete visibility into its dynamic DDoS attack surface vulnerabilities through continuous and non-disruptive DDoS testing. Once having the insight and remediate existing gaps in their mitigation and defenses, organizations can maximize their ROI on mitigation and services and be confident that they’ve done the best they can to provide the best services or products they can.