What is Cloud DDoS Protection?

By | June 14, 2019

You tend not to hear about them lately, but distributed denial of service (DDoS) attacks have continued to grow in frequency and scale just as the internet itself has grown. Fortunately, your options for combatting these attacks have also increased. One of the best options takes advantage of the Cloud’s inherent distributed nature to globally protect servers from malicious traffic. This is called Cloud DDoS Protection or Cloud Anti-DDoS.

What does a modern DDoS attack look like?

DDoS stands for Distributed Denial of Service. At a basic level, a DDoS attack occurs when a distributed network of machines sends an overwhelming amount of malicious data to a target server or network, denying service by crowding out legitimate users trying to reach the server during the attack. These malicious networked machines are usually either purpose-built servers dedicated to the attacking (if the attacker has financial resources) or, more commonly, a “botnet” (a network of bots).

Botnets are comprised of compromised machines, including home devices connected to the internet. PCs, laptops, and servers make up some of these “bots,” but the majority are devices you usually wouldn’t think of, like a home-networked security camera system or a refrigerator (these and similar devices are called the Internet of Things, or IoT). Malicious code can even be hidden in web advertisements, causing your phone to participate in an attack while you play an ad-supported game. Attacking machines can be located quite literally anywhere, and all of them work together to take down the target.

How do you protect against a DDoS attack?

There are several ways to protect against an attack. The most basic is to simply discard all traffic being sent to the targeted server being targeted (“blackholing”). Both legitimate and malicious content will be lost, but at least the rest of the network won’t be clogged.

Next easiest is to have more bandwidth than the attackers can muster. If you are being attacked by 5 Gbps of malicious traffic while your users need 1 Gbps of legitimate traffic, and you have 10 Gbps available to you, then you’re in the clear. Unfortunately, that’s just not feasible for almost anyone – even Netflix has been taken down by a targeted DDoS attack before.

The next solution is to “scrub” the data. Using an algorithm, you (or more likely, your network provider) looks at the data before it reaches the targeted server. Then, the malicious traffic is discarded and only the legitimate traffic is sent on to its destination. You’re effectively out-sourcing your protection. This has many advantages – the server doesn’t even see the attack, and users won’t notice any service impacts. But you’re still limited by how much bandwidth the scrubbing center has. What if the attack is so big it overwhelms the scrubber as well?

Traffic from attackers and legitimate users is directed to a scrubbing center, which "cleans" the traffic and only allows legitimate user traffic to pass through.

Traffic from attackers and legitimate users is directed to a scrubbing center, which “cleans” the traffic and only allows legitimate user traffic to pass through. In this example, the scrubbing center can handle 50 Gbps at once.

Using Cloud DDoS Protection

As the saying goes, “If you can’t beat ‘em, join ‘em.” The botnet has a global network; you need a global network defending you. That’s where Cloud DDoS Protection (interchangeably, Cloud Anti-DDoS) comes in. Utilizing multiple global scrubbing centers, attacking traffic is scrubbed near the source, not at the destination. The attacking traffic doesn’t even get near your server.

Unlike the botnet, however, you don’t need or want an army of thousands. You want just a few concentrated, high-bandwidth nodes handling the scrubbing. Otherwise, your traffic gets held up and starts to lag. The trick is to find the right balance to stop attacks and get legitimate traffic on its way without a noticeable delay.

Not only does this solution allow for scalability, but scrubbing the data near the source prevents the rest of the network from getting congested during an attack.

Attacking traffic is directed to the nearest scrubbing center.
In this example, the attacking traffic is cleaned by the nearest scrubbing center. Even though there is 68 Gbps of traffic headed for the client, only the 8 Gbps of legitimate traffic arrive.

How Zenlayer implements Cloud DDoS Protection

Zenlayer currently has seven nodes around the world devoted to DDoS protection, which we find strikes an ideal balance between global coverage and low latency for our users. We use a proprietary system for sorting data with extremely refined rules (weighting factors such as IP location, traffic patterns, frequency, and so on). You may not know an attack is coming, and with Zenlayer Cloud DDoS Protection you won’t even know when one happens. Zenlayer utilizes this service to protect our own infrastructure, including our private backbone, and we extend this benefit to all of our customers through our products.

To learn more about Zenlayer’s Cloud DDoS Protection, visit our DDoS product page or send an inquiry to our Sales Team.

Have you implemented DDoS protection? What method(s) did you use? Has there been an attack that surprised you in its target or method? Let us know in the comments!