Many companies and service providers have based much of their DDoS protection and mitigation efforts on the apparent benefits that a significant amount of cloud capacity can provide. In fact, the marketing of some providers’ DDoS mitigation services relies almost entirely on the halo effect that the mystical word “cloud” can have on clients.
But is the cloud a magic bullet that can be used against the DDoS (Distributed Denial of Service) attacks that have become a major issue for businesses and other institutions?
Why The Cloud Matters
In simple terms, most DDoS attacks take down websites and servers by overwhelming the machines’ capacity to deal with requests for data. In the majority of cases, the attacks involve a massive influx of traffic to the servers in an attempt to saturate the machines’ available bandwidth or resources.
One traditional way that service providers provide DDoS protection and mitigation in the face of massive traffic surges is by increasing the amount of bandwidth that’s available so that websites can handle the burden of a DDoS without losing the ability to serve legitimate visitors. Another traditional method is to reinforce firewalls and use load balancers to send some of the traffic to other local machines where it can be inspected and scrubbed.
Those approaches are useful in some cases, less efficient in others – but they’re expensive. Bandwidth and servers are much cheaper than they used to be, but using the cloud to add capacity is seen by many providers as the most cost-effective solution. Cloud solutions virtually eliminate the need to add continually hardware and infrastructure (and maintain it), while adding the ability to “absorb” large amounts of malicious traffic. They also allow providers to make instant DNS or routing changes in the battle against DDoS attacks.
Is The Cloud The Answer?
It would be impossible to argue with the underlying logic. It’s obviously less expensive to add cloud capacity than physical server capacity, to have “weapons” to fight DDoS hackers. It also makes sense to move problem traffic to locations far away from a company’s or provider’s infrastructure. In short, cloud capacity is a welcome addition to most DDoS protection or mitigation strategies. That doesn’t mean, however that the cloud is “the answer.”
The ability to utilize the cloud in DDoS mitigation is simply one arrow in the quiver; it’s a great resource, but it isn’t a substitute for proper planning and execution of a DDoS protection plan. The correct use of firewalls and load distribution, the proper configuration of servers to block potentially vulnerable services that aren’t being used, and the detection of problem packets and quickly timing-out unfinished requests are just some of the locally-based steps which must be taken whether or not the cloud is being used to handle large volumes of problematic traffic.
Even more important to the equation is knowledge. Savvy IT professionals who understand the ins and outs of DDoS attacks can design proper monitoring, filtering and quarantine systems which are the backbone of any successful DDoS protection scheme.
In conclusion, the cloud can be a valuable tool, but it isn’t the answer. The answer is using the cloud correctly as just one element of a DDoS mitigation program.