In part 1 of this article, we examined the continued increases in the frequency and magnitude of distributed denial-of-service (DDoS) attacks, the growing potential for collateral damage at the datacenter and regional network level, and the trend toward multi-vector DDoS attacks. We will now explore how a “defence-in-depth” approach is necessary to protect your business-critical website from both infrastructure and application-level DDoS attacks.
To avoid the direct or collateral damage from even a modest DDoS attack you need a highly scalable and robust multi-origin hosting infrastructure. Or, in other words, you need global edge routing and caching services (e.g. Akamai) to deflect infrastructure level (Layer 3 & 4) attacks and to dissipate application-level (Layer 7) attacks by directly serving requests for cached content and distributing the remaining valid http/s requests between multiple geo-distributed hosting origins.
A global edge network shields your hosting origin(s) a number of different ways. First, an edge network significantly reduces the “attack surface” of your site by eliminating any direct path of attack on your hosting origin(s). This is done by masking your origin IP(s) and firewalling out any traffic not originating from the edge network. Without the ability to reach your origin directly, low level network attacks (e.g. DNS, SYN, ACK and ICMP-type DDoS attacks) will fail. They will be deflected by the edge network since it will only forward valid http/s requests. This is very significant because according to Prolexic’s Q1 2013 report approximately 75% of all DDoS attacks are infrastructure-level attacks that would be fully deflected by the edge network. See Figure E for a breakdown of attack types and relative frequency.
Second, an edge network can reduce the risk from DDoS attacks through its routing logic. For example, edge routing rules can be configured to deflect http/s requests from high-risk regions like China and South East Asia by either dropping them altogether or redirecting them to a secondary site safely away from your primary site. For organizations with a truly global audience, edge routing rules can also direct http/s requests to geo-specific versions of your site hosted at different origins. In this way, there is a better chance any DDoS attack will be defused as http/s requests are dispersed across multiple origins or localized to a single region depending on the source(s) of the attack. Figure F shows where DDoS attacks originated from in Q4 2012. It should be noted that this distribution can change month by month as new botnets – the engines for DDoS attacks – are brought online in different regions at different times. For example, a recent exploit aimed at hosting providers in the US and Canada saw a surge in DDoS attacks from North America last quarter while India and Russia – historically high threat regions – saw a significant drop in activity.
Third, the robustness of edge network services makes them an ideal anti-DDoS weapon against application-layer attacks. For example, Akamai’s global edge network is composed of more than 120,000 servers across 1,100 networks globally and is capable of handling almost a third of all Internet traffic. By effectively leveraging this scalability, you can shield your site from even the largest http/s-type DDoS attacks or surges in legitimate web traffic.
Leveraging the immense scalability of edge network services against application layer DDoS attacks requires intelligently caching as much of your web content as possible on the edge network. For the vast majority of sites, a large portion of their web “objects” (html files, javascript files, media files, etc.) are cacheable on the edge network. In fact, many dynamically created web objects are also cacheable. With proper tuning Carbon60 often sees edge offload rates (i.e. the percentage of edge served requests to total web requests) above 80%. If the benefits of this edge caching were distributed evenly across a website then, all things being equal, an 80% offload rate would translate into a five-fold increase in the number of concurrent http/s requests a website could manage without any increase in response time. A five-fold improvement in scalability is good in fending off application level DDoS attacks.10 However, real world performance is often far better.
If there is a flood of valid http/s requests aimed at a URL where all its constituent objects are cacheable – which is often the case – then the attack, regardless of size, will crash against the edge network. Of course, the opposite is also true. A DDoS attack targeted against a very transactional page will let the weight of the attack fall more directly on the more vulnerable hosting origin. As a result, you need more than edge network services to fend off the most targeted, most skilled attacks.11
The strength of edge network services against DDoS attacks is the result of its highly distributed nature. To further strengthen your DDoS defences against application-layer DDoS attacks and limit the collateral damage from DDoS attacks against others, you must also distribute your origins. The best way to do this is through a multi-origin cloud hosting solution that works in combination with your edge routing and caching services. This is for a couple of reasons. First, scalability is intrinsic to cloud computing. A cloud hosting provider can scale your compute capacity by adding more computing power to existing virtual machines or by adding more virtual machines to existing web, application, or database clusters, to compensate quickly for surges in traffic during an html/s type DDoS attack. Better yet, you only pay for this reserve computing power while you need it.
Second, only hosting your site from a single origin makes your site vulnerable to any service impacting events at that origin. This includes DDoS attacks against other sites sharing the same cloud compute, storage, or network infrastructure. While it is always advisable to host in a good neighborhood, i.e. away from high risk sites, it is better to geographically distribute the hosting of your site. This can be done using an edge network’s routing logic to balance traffic between multiple origins and automatically re-directing traffic away from an unavailable origin. This works particularly well when inbound requests are routed according to their geographic source to multiple hosting origins within a corresponding region.
Another approach is to use the edge network itself as a standby origin by leveraging the edge network’s own storage service to host a static, “DDoS-proof” version of your website. While not capable of serving dynamic content or processing orders, this solution at least maintains your web presence and permits emergency updates to keep customers informed. In general, the cost of multi-origin hosting solutions has reduced dramatically in recent years and the supporting technologies for distributed computing have improved to support a broader-range of applications. While it is beyond the scope of this article, it is worth investigating these technologies when assessing your next web application framework.
In short, leveraging edge network services along with a multi-origin cloud hosting solution delivers a very robust solution to the escalating magnitude and frequency of single and multi-vector DDoS attacks. At the same time, this solution provides significant benefits related to site reliability, performance, scalability, and security that are not provided by the many dedicated DDoS filtering services on the market today. Of course, selecting a robust, DDoS-hardened hosting solution is only one aspect of an overall site security strategy. Any high value, business-critical web property requires a comprehensive security strategy that encompasses all aspects of web development
and delivery.
8 – Figure E Source: Prolexic Q1 2013 Quarterly Report.
9 – Figure F Source from Akamai Q4 2012 State of the Internet Report.
10 – Conversely, the same site could theoretically be able to handle the same number of requests with a five-fold decrease in resource usage at the origin – which, of course, is how companies cost-justify their edge services.
11 – Thankfully, only a small percentage of DDoS attacks are performed by highly skilled and motivated attackers that use DDoS tools as anything more than blunt instruments. For example, Prolexic believes the largest attacks are the work of a relatively small core of veteran mercenaries and the majority of attacks are the work of “script kiddies”.