Bare Metal Cloud
Dedicated bare metal servers on demand
Edge Data Center Services
Global colocation and managed hosting
Instant global networks
Optimized connections worldwide
Global Intelligent Accelerator
Accelerate dynamic content worldwide
Content Delivery Network
Deliver content with ultra-low latency
Cloud Service Providers
You tend not to hear about them lately, but distributed denial of service (DDoS) attacks have continued to grow in frequency and scale just as the internet itself has grown. Fortunately, your options for combatting these attacks have also increased. One of the best options takes advantage of the Cloud’s inherent distributed nature to globally protect servers from malicious traffic. This is called Cloud DDoS Protection or Cloud Anti-DDoS.
DDoS stands for Distributed Denial of Service. At a basic level, a DDoS attack occurs when a distributed network of machines sends an overwhelming amount of malicious data to a target server or network, denying service by crowding out legitimate users trying to reach the server during the attack. These malicious networked machines are usually either purpose-built servers dedicated to the attacking (if the attacker has financial resources) or, more commonly, a “botnet” (a network of bots).
Botnets are comprised of compromised machines, including home devices connected to the internet. PCs, laptops, and servers make up some of these “bots,” but the majority are devices you usually wouldn’t think of, like a home-networked security camera system or a refrigerator (these and similar devices are called the Internet of Things, or IoT). Malicious code can even be hidden in web advertisements, causing your phone to participate in an attack while you play an ad-supported game. Attacking machines can be located quite literally anywhere, and all of them work together to take down the target.
There are several ways to protect against an attack. The most basic is to simply discard all traffic being sent to the targeted server being targeted (“blackholing”). Both legitimate and malicious content will be lost, but at least the rest of the network won’t be clogged.
Next easiest is to have more bandwidth than the attackers can muster. If you are being attacked by 5 Gbps of malicious traffic while your users need 1 Gbps of legitimate traffic, and you have 10 Gbps available to you, then you’re in the clear. Unfortunately, that’s just not feasible for almost anyone – even Netflix has been taken down by a targeted DDoS attack before.
The next solution is to “scrub” the data. Using an algorithm, you (or more likely, your network provider) looks at the data before it reaches the targeted server. Then, the malicious traffic is discarded and only the legitimate traffic is sent on to its destination. You’re effectively out-sourcing your protection. This has many advantages – the server doesn’t even see the attack, and users won’t notice any service impacts. But you’re still limited by how much bandwidth the scrubbing center has. What if the attack is so big it overwhelms the scrubber as well?
As the saying goes, “If you can’t beat ‘em, join ‘em.” The botnet has a global network; you need a global network defending you. That’s where Cloud DDoS Protection (interchangeably, Cloud Anti-DDoS) comes in. Utilizing multiple global scrubbing centers, attacking traffic is scrubbed near the source, not at the destination. The attacking traffic doesn’t even get near your server.
Unlike the botnet, however, you don’t need or want an army of thousands. You want just a few concentrated, high-bandwidth nodes handling the scrubbing. Otherwise, your traffic gets held up and starts to lag. The trick is to find the right balance to stop attacks and get legitimate traffic on its way without a noticeable delay.
Not only does this solution allow for scalability, but scrubbing the data near the source prevents the rest of the network from getting congested during an attack.
Zenlayer currently has seven nodes around the world devoted to DDoS protection, which we find strikes an ideal balance between global coverage and low latency for our users. We use a proprietary system for sorting data with extremely refined rules (weighting factors such as IP location, traffic patterns, frequency, and so on). You may not know an attack is coming, and with Zenlayer Cloud DDoS Protection you won’t even know when one happens. Zenlayer utilizes this service to protect our own infrastructure, including our private backbone, and we extend this benefit to all of our customers through our products.
Have you implemented DDoS protection? What method(s) did you use? Has there been an attack that surprised you in its target or method? Let us know in the comments!