siliconindia | | May 20188Established in the year 1997, Radware empowers more than ten thousand enterprise and carrier customers across the globe and has came to be known as global leader in providing application delivery, Cyber security and Virtual, Cloud and Software data centers. By Nikhil Taneja, Managing Director-India, SAARC & Middle East, Radwarequestion that I've encountered many times in the field of late is what are the impacts of DDoS attacks on cloud compute environments? The primary benefit of cloud is that it elastically scales to meet variable demand, scale up instantly, scale down when demand subsides ­ in seconds. So, layman's logic might say that cloud-based services are immune from the downtime effects of DDoS attackers, however the possibility of gigantic unexpected bills is a given? After exploring the topic with several eminent cloud architects and representatives of online organizations, with experience running primary service on cloud platforms such as Amazon AWS and Azure, here are the seven interlinked complexities that they choose to reflect on. Customer experience is key. The simple fact is that most DDoS attacks have limited ambition of killing a service entirely but rather significantly impair customer experience. So, without DDoS protection that can distinguish legitimate traffic from bad, it is not uncommon for DDoS attacks to go unnoticed and instead blight customer experience in cloud environments just as they do in traditional physical data centres. A number of the below points expand on the where's and how's of this key consideration.DDoS infrastructure pains are different between traditional data centres and cloud ­ In traditional physical data centre environments all DDoS payload targeting base infrastructure becomes a potential customer experience and economic hit against capacity assumptions. Into cloud environments this pattern changes. For starters, attacks against the underlying infrastructure before the customer's front-end apps are generally dealt with by the cloud service provider. There are recorded outages where cloud service providers have not got things entirely right of course, such as the 2016 Dyn attack, but such incidents remain exceptions to the rule for now. The upshot of in-built protection is that customers do not normally feel the burn of poor user experience or the bill of DDoS attacks hitting shared internet connectivity or APIs. However, when the attack gets into the customer's personal compute domain, the pain occurs. The user experience degradation is discussed below, focusing now on economic impacts that can vary both within a service and between the different providers. For example, AWS does not bill you for ingress traffic into an Elastic Load Balancer, you just pay for the egress traffic, however if the DDoS traffic is getting NATed then you would be paying $0.050 per GB processed for the inbound traffic. Obviously when a front-end web application starts to take a hit, then it is only the severity of cost that is variable.Lift and shift of traditional data centre to cloud renders auto-scalability virtually useless to fend off DDoS attacks ­ If a customer takes their traditional data centre footprint into a cloud environment without transformation, then they will inevitably be lifting the majority of their previous capacity ceilings into their new cloud home. Into an attack the customer would be almost assured of hitting a limitation in licensing, O/S threshold, messaging queue or some other interlink between front-end and back-end applications that would cause an outage or major service degradation that no end of horizontal auto-scaling or virtual RAM and CPU resources could mitigate. In one sense this scaling failure might protect them from the worst of a so-called Economic Denial-of-Service attack, EDoS, AKA a huge bill. Not something to applaud of course.Excess billing prevention is on you ­ The major cloud providers simply do not provide utilisation caps. It is not that doing so is contra revenue interests (which it is of course), but as much they don't want to be the party that brings their customer's house down due to their involvement in AIN MY OPINIONCLOUD VS. DDOS, THE SEVEN LAYERS OF COMPLEXITY
< Page 7 | Page 9 >