This content is part of the Essential Guide: How to attack DDoS threats with a solid defense plan

Create a cloud DDoS protection plan

Hackers don't just steal data; they can also crash applications with spam requests and traffic. Protect your cloud against DDoS attacks by employing these tools and techniques.

Public cloud services are not immune from security threats, and some of the most pernicious attacks involve denial of service. Even when attackers can't penetrate a workload or data store in the public cloud, the attacker can reduce cloud application performance, or block the application entirely, by overwhelming the network with junk traffic or excessive requests.

While it's not possible to prevent every attack, public cloud users can take important steps to mitigate the impact of denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks. A strong cloud DDoS and DoS protection plan will keep your infrastructure from crumbling under the pressure of an attack.

What is a DoS or DDoS attack in the cloud?

DDoS attacks are often more dangerous than DoS because the flood of traffic originates from two or more IP addresses, making it harder for administrators to identify and act against them.

Every application operates within an infrastructure of network, compute and storage. Each of these individual resources is subjected to a maximum limit. For example, a network switch can only direct a certain number of packets per second. When an infrastructure receives more requests or traffic than it can handle, applications ignore – or deny service – to those excess requests.

This kind of DoS is normal behavior for any computing infrastructure. A DoS attack, however, is a deliberate attempt to invoke this behavior by intentionally overwhelming an infrastructure with excessive traffic. When successful, a DoS attack may leave an application -- even an entire computing infrastructure -- inaccessible for hours, days or even weeks.

A DoS attack typically occurs from one IP address, so it's comparatively easy to spot and stop at a firewall. DDoS attacks are often more dangerous than DoS because the flood of traffic originates from two or more IP addresses, making it harder for administrators to identify and act against them.

The effects of a DoS or DDoS attack on a cloud application are similar to the impact on a locally deployed application; performance declines, and the app may become inaccessible. Use cloud monitoring resources, such public cloud providers' monitoring or logging tools, to spot and remedy the problem.

Download this podcast

Can you prevent a distributed denial-of-service attack?

Expert Michael Cobb discusses the reality of DDoS attack prevention and best practices.

What tools can help prevent cloud DDoS or DoS attacks?

The most basic cloud DDoS and DoS protection against unwanted traffic is the traditional firewall. However, firewall management can be problematic and time-consuming -- especially for DDoS attacks. Cloud-based applications compound the problem because organizations have little to no visibility into public cloud traffic.

This has driven the development of third-party services to guard local and cloud-based applications. There are numerous tools and services for cloud DDoS protection, including those from Imperva, CloudFlare, Akamai and Verisign. These services typically work as proxies; an application's traffic is first directed to the service, which identifies and scrubs malicious traffic. The remaining clean traffic is then passed to the application.

Businesses that adopt third-party cloud DDoS or DoS protection services must consider availability and reliability; if the service goes down, the application might also become unavailable.

Google looks to SDN to prevent DoS attacks

Vendors take different measures to help protect users' data in the cloud. Google, for instance, has Andromeda, a software-defined network capable of provisioning, configuring and managing virtual networks. It aims to create a secure, high-performance and programmatic environment to host Google Compute Engine VMs.

The Andromeda architecture includes a measure of protection against DDoS attacks, while providing transparent load balancing, routing, access control lists and firewalls, all of which use the underlying Andromeda APIs and infrastructure.

How else can you prevent cloud DDoS or DoS attacks?

While there is no service or tool that guarantees absolute protection against DoS and DDoS attacks, there are application design and deployment strategies that help mitigate them -- especially when deploying workloads in a public cloud.

Take advantage of the redundancy available in a public cloud platform like Google Cloud Platform or Amazon Web Services, and deploy instances across more than one region or zone. If one zone or region is disrupted by an outage or attack, you'll have alternative instances that can still receive traffic.

Consult with software developers and cloud provider engineers to architect a cloud infrastructure that provides the resiliency you need for each particular application. Remember that all applications are not created equal, and only the most mission-critical workloads should require such resiliency.

There are also common strategies that can help detect and protect against cloud DDoS and Dos attacks. Install and maintain comprehensive antimalware tools; patch and update operating systems and applications; use authentication for API calls; and configure local or public cloud firewalls to close unused ports.

Next Steps

3 DDoS mitigation strategies for enterprise networks

Keep hackers at bay with cloud security technologies

Avoid these seven common cloud security risks

Dig Deeper on Cloud security tools