Of the hundreds of millions of individuals and corporations across the globe who own desktops, notebooks and mobile devices, only a small percentage of people understand how they work beyond controlling the applications they commonly use. These devices are tools used to perform a task and don’t require you to understand how they work to perform those tasks. Most drivers don’t understand how the engine in their gas-powered cars or the AC induction motors in their electric vehicles work, and they don’t have to. Obfuscation of how the tool works is required to make it usable for productive tasks.
The vast majority of these devices run outdated Windows and Android operating systems with myriad security problems. The onus is on the user to keep the device and any security software updated. Often, the user is prompted to perform these tasks at the most inconvenient times, such as when the user is busy or low on funds to pay for an upgrade or subscription to the security software. The prompts are viewed by many users as nagging, easily dismissed and ultimately disabled. And at some point down the line, the user gets fooled into executing code via a well-crafted email with disguised hyperlinks or any other number of nefarious means, and their system comes under the silent control of individuals or organizations who will use the device to perform whatever tasks they choose.
Origins of a Denial-of-Service Attack
One of the most popular tasks the compromised computer is commanded to perform is generating traffic to a website in order to disable it, all in the background, unseen by the user. The smart cybercriminal imposes limits on the malware code to avoid detection by not utilizing too much of the user’s bandwidth or system resources. The user would have to know where to look to detect this, and probably won’t be motivated to as long as the software doesn’t cause any problems for them. The attack does not use just a single system but millions of such compromised systems, nearly simultaneously.
The software visits or sends special network packets (OSI Layer 7 and Layer 3, respectively) to the website (or ancillary services required for users to reach the website such as DNS). It then generates what looks like — to most security software or hardware protecting the website — normal traffic or simply unsuccessful connection attempts. However, the website soon becomes unavailable as some part of the infrastructure can no longer handle the sheer number of simultaneous requests. It could be the router, the firewall, the web servers, the database servers behind the web servers — any number of points can become overwhelmed, leading to the unavailability of the service they are providing. As a result, legitimate users of the website are denied service. This is called a distributed denial of service (DDoS) attack.
Typically, the only means for mitigating DDoS is to plead with your internet provider to utilize their tools and expertise and work with their even larger upstream internet providers to block the offending traffic. At some point, the attack stops, as the attackers wish to avoid being detected or realize the traffic has been blocked by the providers and the attack is no longer effective. Unfortunately, there is no service-level agreement on these countermeasures and the site and infrastructure can be compromised for days or weeks. The more effective attacks will be coupled with requests for bribes to end the onslaught.
Defending Against DDoS Attacks
Any business choosing to host a publicly available site or application from their systems and telecommunication infrastructure would be severely impacted by a DDoS without some third-party protection. Not only would the site be unavailable, but the organization’s internet connection would be unusable. While locally installable devices exist to help in small-scale attacks, they cannot handle being the target of a massive DDoS. Third-party services, such as Incapsula from Imperva, direct all public traffic to their hyperscale infrastructure first, with the connections flowing to the infrastructure only from Imperva after going through their Web Application Firewall (WAF) systems. These solutions can be costly to combat large-scale attacks.
WAF systems provide a deeper level of inspection of traffic to a public web application, preventing malformed requests from consuming resources on the web application infrastructure. In effect, the utilization of such a third-party service is putting your business into a hyperscale cloud, even if your website or application is hosted locally.
When a business chooses to host their site or application in a hyperscale cloud such as Azure or AWS, various services are available to combat DDoS. While the provider infrastructure is massive, and they are able to handle and mitigate DDoS attacks that do not affect their infrastructure at-large, the specific resources you pay for can quickly become overwhelmed — and again, unavailability of your site or application is the result.
For AWS hosted sites and applications, AWS Shield is available, which integrates Layer 3 protection with AWS’s Layer 7 WAF technology. To be most effective, the website/app designers can provide input to create rules in the application firewall. Like most WAFs, AWS WAF has an inspection mode that can be run for a time to help characterize the traffic and begin the process of creating rules with this data to protect the site. AWS Shield Standard is available to all AWS customers at no additional charge beyond the fees for their WAF service. AWS also provides AWS Shield Advanced for an additional charge, which includes the WAF and additional protections. AWS Shield Advanced includes AWS Standard features but adds advanced security service help from AWS engineers in creation of WAF rules, access to a managed security response team, reporting on Layer 3 attacks, additional reporting on Layer 7 attacks, reimbursement on DDoS-related resource utilization charges, dynamic capacity increases to help mitigate attacks, and incident management.
Microsoft’s Azure hyperscale cloud does not have a specific DDoS service for customer environments at this time. However, its infrastructure is protected with various DDoS protection technologies and, in general, Microsoft takes a holistic approach to security with recommendations of patching and anti-malware add-ons for virtual machines. And partners such as CloudFlare and the aforementioned Imperva Incapsula fill in the gap and provide AWS Shield-like protections for your web applications and sites.
The hyperscale providers are the best place to host your public-facing websites and applications for mitigation of DDoS attacks. Through sheer size, resources and DDoS protection products, your sites and applications stand a chance against DDoS, but they would be completely buried in the kind of local infrastructure that most companies can afford.
Learn more about CDW’s cloud solutions and services.