Secondhand DDoS: Why hosting providers need to take action

Unfortunately, the sheer size and scale of hosting or datacenter operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack. As enterprises increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating cyber threats – even as an indirect target.

What is secondhand DDoS?

The multi-tenant nature of cloud-based data centres and shared, hosted environments can be less than forgiving for unsuspecting tenants. A DDoS attack, volumetric in nature against one tenant, can lead to disastrous repercussions for others; a domino effect of latency issues, service degradation and potentially damaging and long lasting service outages.

The excessive amount of malicious traffic bombarding a single tenant during a volumetric DDoS attack can have adverse effects on other tenants as well as the overall data centre or hosting providers operation. In fact, it is becoming more common that attacks on a single tenant or service can completely choke up the shared infrastructure and bandwidth resources, resulting in the entire data centre can be taken offline or severely slowed – AKA, secondhand DDoS.

> See also: Is your organisation a tempting target for DDoS?

Black-holing or black-hole routing is a common, crude defense against DDoS attacks, which is intended to mitigate secondhand DDoS. With this approach, the cloud or hosting provider blocks all packets destined for a domain by advertising a null route for the IP address (es) under attack. There are a number of problems with utilising this approach for defending against DDoS attacks: Most notably is the situation where multiple tenants share a public IP address range.

In this case, all customers associated with the address range under attack will lose all service, regardless of whether they were a specific target of the attack. In effect, the data centre or hosting operator has finished the attacker’s job by completely DoS’ing their own customers. Furthermore, injection of null-routes is a manual process, which requires human analysts, workflow processes and approvals; increasing the time to respond to the attack, leaving all tenants of the shared environment suffering the consequences for extended periods of time, potentially hours.

The growing dependence on the Internet makes the impact of successful DDoS attacks-financial and otherwise-increasingly painful for service providers, enterprises, and government agencies. And newer, more powerful DDoS tools promise to unleash even more destructive attacks in the months and years to come.

> See also: Rethinking security for a software-defined world

Enterprises which rely on hosted infrastructure or services need to start asking the tough questions of their hosting or datacentre providers, as to how they will be properly protected when a DDoS attack strikes. As we’ve seen on numerous occasions, hosted customers are simply relying on their provider to ‘take care of the attacks’ when they occur, without fully understanding the ramifications of turning a blind eye to this type of malicious behavior.

What to do to mitigate an attack and protect the infrastructure

Here are three key steps for providers to consider to better protect their own infrastructure, and that of their customers.

Eliminate the delays incurred between the time traditional monitoring devices detects a threat, generates an alert and an operator is able to respond; reducing initial attack impact from hours to seconds by deploying appliances that both monitor and mitigate DDoS threats automatically. The mitigation solution should allow for real-time reporting alert and event integration with back-end OSS infrastructure for fast reaction times, and the clear visibility needed to understand the threat condition and proactively improve DDoS defenses.

> See also: 10 steps to mitigate a DDoS attack in real-time

Deploy the DDoS mitigation inline. If you have out-of-band devices in place to scrub traffic, deploy inline threat detection equipment quickly that can inspect, analyse and respond to DDoS threats in real-time.

Invest in a DDoS mitigation solution that is architected to never drop good traffic. Providers should avoid the risk of allowing the security equipment to become a bottleneck in delivering hosted services—always allowing legitimate traffic to pass un-interrupted, a do no harm approach to successful DDoS defense.

Enterprises rely on their providers to ensure availability and ultimately protection against DDoS attacks cyber threats. With a comprehensive first line of defense against DDoS attacks deployed, date centre and hosting providers are protecting its customers from damaging volumetric threats directed at or originating from or within its networks.

Sourced from Dave Larson, CTO at Corero Network Security

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach
DDoS Attack