RE: Pros and Cons of Cloud Computing in dealing with DDoS

["Stefan Fouant" <sfouant () shortestpathfirst com>]

> -----Original Message-----
> From: Roland Dobbins [mailto:rdobbins () arbor net]
> Sent: Thursday, November 05, 2009 4:35 PM
>
> On Nov 6, 2009, at 2:11 AM, Stefan Fouant wrote:
>
> > Obviously the cloud is no different than any other infrastructure
> > insofar as
> > implementing protection mechanisms.  Ample bandwidth (typically more
> > so than
> > in the enterprise) should make it easier to absorb larger amounts of
> > the bad
> > stuff.
>
> Actually, no - the miscreants are always going to have more bandwidth
> at their disposal, plus they utilize attack vectors which provide a
> great deal of amplification (including at layer-7) which make
> bandwidth largely irrelevant.

So if I'm hearing you correctly, you're saying that no matter how much
infrastructure you have to potentially absorb the problem, there is nothing
you can do because the bad guys are always going to have more bandwidth at
their disposal.  Man, that's a pretty bad position to be in for a vendor
who's fundamental premise is to sell boxes to deal with these sorts of
problems. ;)  I've built quite a few of these solutions now, and the designs
usually entail having enough bandwidth and other resources at your disposal
so as to be able to scrub the traffic with purpose-built mitigation
equipment.  I'd also like to point out that according to the 4th edition of
Arbor's Worldwide Infrastructure Security Report, only about 1% of all
attacks observed via ATLAS were in the 10+ Gbps range.  So while there are
certainly larger attacks exhibited in the wild, I'm pretty certain that most
of the cloud providers today have at least enough bandwidth to deal with the
other 99% of attacks, assuming they have the appropriate countermeasures in
place to scrub the traffic.  To your point however with regards to various
attack vectors, I am in agreement that this doesn't provide any tangible
benefit to those low-level attacks which require surgical mitigation to deal
with.

> >  why they think DDoS is the single biggest threat to the cloud
> > computing model,
>
> Availability is the one thing which *must* be guaranteed at all costs
> in order for the cloud model to work, and by definition, most cloud
> infrastructure isn't going to be within the span of control of the end-
> customer.  Look at all the apps/services we all use and depend upon
> every day - Webmail, IM, various Web 2.0ish AJAXy things, Skype, SIP,
> et al.  When these things are DDoSed either deliberately or
> inadvertently, directly or indirectly (i.e., zorching authoritative
> DNS a la Baofeng), lots and lots of folks end up getting hosed.
>
> Now, expand this to your back-end line-of-business apps, your IP
> PBXes, your customer databases, your ERP software, your CAM/CAM
> system, your basic file/print services, and the picture becomes much
> clearer.
>
> The movement towards 'cloud' - starting with things like VPS and VPDC
> and SaaS for specific applications - largely consists of end-customer
> organizations jettisoning their internal data centers/WAN links/ops
> staff and subscribing to these apps/services on a recurring basis,
> with said apps/services either residing within a public-facing IDC or
> in a multitenanted IDC made available to the end-customer via an MPLS
> NGN.  It entails shutting down locally-/internally-owned-and-operated
> DCs and moving into
>
> > again this is counter to a lot of evidence which points to the
> > corollary
>
> Which evidence is that?  [You meant 'contrary', yes?]

Yep, brainfart. ;)

> > - think DNS Root Servers and you'll have an idea what I'm talking
> > about...
>
> There's a heck of a lot of engineering which has gone into protecting
> the roots - I'm sure you'll recall the high-visibility DDoS attacks
> which affected multiple roots in the past.  The root operators learned
> from that experience and took proactive measures to ensure that they
> can continue to maintain availability in the face of constant
> onslaughts.

My point exactly - similar measures can and should be done to ensure that
cloud computing models are similarly robust.

> The bottom line is that it's easy to achieve perfect confidentiality
> and integrity if availability is lacking, heh.  All three legs of the
> classical information security triad are of import, but it's always
> been my view that availability is the first among equals, which
> translates into the need for robust, scalable architecture and the
> willingness to devote time and resources to the operational security
> art.
>
> Paul's comment about botnets being 'cloud' services is dead-on; and of
> course, miscreants using stolen credit-cards to purchase IaaS for
> spamming/phishing purposes has already been seen in the wild, just as
> they do so with their nonsense domains for botnet C&C.  IaaS abused to
> launch DDoS won't be far behind.

This is really scary to think about... if we look at how Service Providers
typically respond to hosts on their network behaving badly, it doesn't bode
well for the Internet as a whole.

Stefan Fouant
GPG Key ID: 0xB5E3803D